CVE-2026-33362

{"id": "CVE-2026-33362", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "44488dab-36db-4358-99f9-bc116477f914", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.9}]}, "published": "2026-05-11T17:16:31.083", "references": [{"url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner", "source": "44488dab-36db-4358-99f9-bc116477f914"}, {"url": "https://www.runzero.com/advisories/meari-sdk-hardcoded-cryptographic-keys-cve-2026-33362/", "source": "44488dab-36db-4358-99f9-bc116477f914"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "44488dab-36db-4358-99f9-bc116477f914", "description": [{"lang": "en", "value": "CWE-321"}]}], "descriptions": [{"lang": "en", "value": "In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps <= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys."}], "lastModified": "2026-05-13T15:36:30.533", "sourceIdentifier": "44488dab-36db-4358-99f9-bc116477f914"}