Cyber Resilience

CVE-2024-26477

HighPublic PoC

Published: 11 February 2026

Published
11 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0006 18.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-26477 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Statping-Ng Statping-Ng. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-26477 is an information disclosure vulnerability (CWE-200) affecting Statping-ng version 0.91.0, a self-hosted status page and service monitoring application. The flaw allows an attacker to obtain sensitive information through a crafted request targeting the "api" parameter on the oauth, amazon_sns, and export endpoints. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for authentication, privileges, or user interaction.

Any unauthenticated attacker with network access to a vulnerable Statping-ng instance can exploit this issue remotely with low complexity. By sending a specially crafted HTTP request to the affected endpoints, the attacker can extract sensitive data exposed via the "api" parameter, potentially including configuration details, credentials, or other internal information that could facilitate further attacks or reconnaissance.

References include proof-of-concept exploit code hosted at https://github.com/Ev3rR3d/Statping_Poc and https://github.com/Ev3rR3d/Statping_Poc/tree/main/CVE-2024-26477, demonstrating the vulnerability. Security practitioners should review the official Statping-ng repository at https://github.com/statping-ng/statping-ng and documentation site https://statping-ng.github.io/ for any patches, version updates, or mitigation guidance beyond the affected v0.91.0 release.

EU & UK References

Vulnerability details

An issue in Statping-ng v.0.91.0 allows an attacker to obtain sensitive information via a crafted request to the api parameter of the oauth, amazon_sns, export endpoints.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Direct remote exploitation of unauthenticated info disclosure in public-facing web app (T1190) to extract system/config data and credentials (T1082/T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-26480Same product: Statping-Ng Statping-Ng
CVE-2026-4020Shared CWE-200
CVE-2026-32596Shared CWE-200
CVE-2025-26001Shared CWE-200
CVE-2024-48125Shared CWE-200
CVE-2026-32609Shared CWE-200
CVE-2025-62188Shared CWE-200
CVE-2026-25146Shared CWE-200
CVE-2025-55190Shared CWE-200
CVE-2025-68438Shared CWE-200

Affected Assets

statping-ng
statping-ng
0.91.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the specific information disclosure flaw in Statping-ng v0.91.0 that allows unauthenticated attackers to extract sensitive data via crafted 'api' parameter requests to oauth, amazon_sns, and export endpoints.

prevent

Restricts unauthenticated access to sensitive information by explicitly identifying and authorizing only permitted actions on the vulnerable endpoints without identification or authentication.

prevent

Prevents exploitation through crafted HTTP requests to the 'api' parameter by validating information inputs at the oauth, amazon_sns, and export endpoints.

References