Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints.
References
| Link | Resource |
|---|---|
| https://drive.google.com/file/d/1MoZn73YkDGGpqOgaQbRU1hWVygr8VaxY/view | Exploit Third Party Advisory |
| https://drive.google.com/file/d/1MoZn73YkDGGpqOgaQbRU1hWVygr8VaxY/view | Exploit Third Party Advisory |
Configurations
History
02 Jul 2026, 14:21
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Peplink intcontrol 2
Peplink |
|
| CPE | cpe:2.3:a:peplink:intcontrol_2:*:*:*:*:*:*:*:* | |
| References | () https://drive.google.com/file/d/1MoZn73YkDGGpqOgaQbRU1hWVygr8VaxY/view - Exploit, Third Party Advisory |
26 Jun 2026, 14:17
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://drive.google.com/file/d/1MoZn73YkDGGpqOgaQbRU1hWVygr8VaxY/view - |
26 Jun 2026, 13:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-26 13:16
Updated : 2026-07-02 14:21
NVD link : CVE-2026-57920
Mitre link : CVE-2026-57920
CVE.ORG link : CVE-2026-57920
JSON object : View
Products Affected
peplink
- intcontrol_2
CWE
CWE-551
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
