CVE-2024-26480
Published: 11 February 2026
Summary
CVE-2024-26480 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Statping-Ng Statping-Ng. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-26480 is an information disclosure vulnerability in Statping-ng version 0.91.0. The flaw enables an attacker to obtain sensitive information by sending a crafted request to the admin parameter. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), as well as NVD-CWE-noinfo.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation grants high-impact access to sensitive information without compromising integrity or availability.
Proof-of-concept code demonstrating the vulnerability is publicly available on GitHub at https://github.com/Ev3rR3d/Statping_Poc and https://github.com/Ev3rR3d/Statping_Poc/tree/main/CVE-2024-26480. For mitigation details, patches, or updates, consult the official Statping-ng repository at https://github.com/statping-ng/statping-ng and project site at https://statping-ng.github.io/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-23748
Vulnerability details
An issue in Statping-ng v.0.91.0 allows an attacker to obtain sensitive information via a crafted request to the admin parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of public-facing web app for unauthorized sensitive data access via crafted admin parameter request.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations to prevent unauthenticated remote attackers from obtaining sensitive information via crafted requests to the admin parameter.
Validates information inputs to block crafted requests to the admin parameter that disclose sensitive information.
Identifies, reports, and remediates the specific software flaw in Statping-ng v0.91.0 enabling information disclosure.