CVE-2026-57920

Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints.
Configurations

Configuration 1 (hide)

cpe:2.3:a:peplink:intcontrol_2:*:*:*:*:*:*:*:*

History

02 Jul 2026, 14:21

Type Values Removed Values Added
First Time Peplink intcontrol 2
Peplink
CPE cpe:2.3:a:peplink:intcontrol_2:*:*:*:*:*:*:*:*
References () https://drive.google.com/file/d/1MoZn73YkDGGpqOgaQbRU1hWVygr8VaxY/view - () https://drive.google.com/file/d/1MoZn73YkDGGpqOgaQbRU1hWVygr8VaxY/view - Exploit, Third Party Advisory

26 Jun 2026, 14:17

Type Values Removed Values Added
References () https://drive.google.com/file/d/1MoZn73YkDGGpqOgaQbRU1hWVygr8VaxY/view - () https://drive.google.com/file/d/1MoZn73YkDGGpqOgaQbRU1hWVygr8VaxY/view -

26 Jun 2026, 13:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-26 13:16

Updated : 2026-07-02 14:21


NVD link : CVE-2026-57920

Mitre link : CVE-2026-57920

CVE.ORG link : CVE-2026-57920


JSON object : View

Products Affected

peplink

  • intcontrol_2
CWE
CWE-551

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization