Cyber Resilience

CVE-2024-26480

HighPublic PoC

Published: 11 February 2026

Published
11 February 2026
Modified
28 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0002 5.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-26480 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Statping-Ng Statping-Ng. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-26480 is an information disclosure vulnerability in Statping-ng version 0.91.0. The flaw enables an attacker to obtain sensitive information by sending a crafted request to the admin parameter. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), as well as NVD-CWE-noinfo.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation grants high-impact access to sensitive information without compromising integrity or availability.

Proof-of-concept code demonstrating the vulnerability is publicly available on GitHub at https://github.com/Ev3rR3d/Statping_Poc and https://github.com/Ev3rR3d/Statping_Poc/tree/main/CVE-2024-26480. For mitigation details, patches, or updates, consult the official Statping-ng repository at https://github.com/statping-ng/statping-ng and project site at https://statping-ng.github.io/.

EU & UK References

Vulnerability details

An issue in Statping-ng v.0.91.0 allows an attacker to obtain sensitive information via a crafted request to the admin parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote exploitation of public-facing web app for unauthorized sensitive data access via crafted admin parameter request.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-26477Same product: Statping-Ng Statping-Ng
CVE-2024-13796Shared CWE-200
CVE-2025-25975Shared CWE-200
CVE-2024-12142Shared CWE-200
CVE-2025-25951Shared CWE-200
CVE-2026-34297Shared CWE-200
CVE-2026-24498Shared CWE-200
CVE-2025-22828Shared CWE-200
CVE-2026-23659Shared CWE-200
CVE-2024-11282Shared CWE-200

Affected Assets

statping-ng
statping-ng
0.91.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations to prevent unauthenticated remote attackers from obtaining sensitive information via crafted requests to the admin parameter.

prevent

Validates information inputs to block crafted requests to the admin parameter that disclose sensitive information.

prevent

Identifies, reports, and remediates the specific software flaw in Statping-ng v0.91.0 enabling information disclosure.

References