Cyber Posture

CVE-2026-24343

High

Published: 10 February 2026

Published
10 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 7.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24343 is a high-severity XPath Injection (CWE-643) vulnerability in Apache Hertzbeat. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mandates validation and sanitization of user-supplied inputs to prevent XPath injection by ensuring improper neutralization does not occur.

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of flaws like CVE-2026-24343 through patching to version 1.8.0, eliminating the XPath injection vulnerability.

RA-5 Vulnerability Monitoring and Scanning good match
detectrespond

Enables vulnerability scanning to identify XPath injection issues in Apache HertzBeat and prioritizes their risk-based remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

XPath injection in web-based monitoring app directly enables exploitation of the application over the network to achieve data access/manipulation or RCE.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in Apache HertzBeat. This issue affects Apache HertzBeat: from 1.7.1 before 1.8.0. Users are recommended to upgrade to version 1.8.0, which fixes the issue.

Deeper analysisAI

CVE-2026-24343 is an Improper Neutralization of Data within XPath Expressions, known as XPath Injection (CWE-643), affecting Apache HertzBeat monitoring software. The vulnerability impacts versions from 1.7.1 up to but not including 1.8.0, where user-supplied input is insufficiently sanitized before being processed in XPath queries, allowing malicious payloads to alter query logic.

Attackers with low-privilege authenticated access (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) without changing scope (S:U). This CVSS 3.1 score of 8.8 indicates potential for remote code execution or data manipulation, such as extracting sensitive configuration data or modifying monitoring alerts.

Apache advisories recommend upgrading to version 1.8.0, which resolves the issue through improved input validation. Details are available in the official Apache announcement at https://lists.apache.org/thread/b2k3jqwffrbo2sy6bl4n0f68kp8bfo1n and the OSS-Security mailing list at http://www.openwall.com/lists/oss-security/2026/02/09/4.

Details

CWE(s)
CWE-643

Affected Products

apache
hertzbeat
1.7.1 — 1.8.0

CVEs Like This One

CVE-2024-55532Same vendor: Apache
CVE-2026-31908Same vendor: Apache
CVE-2025-54466Same vendor: Apache
CVE-2026-40466Same vendor: Apache
CVE-2025-24783Same vendor: Apache
CVE-2025-66614Same vendor: Apache
CVE-2026-29146Same vendor: Apache
CVE-2025-59059Same vendor: Apache
CVE-2025-61622Same vendor: Apache
CVE-2025-33042Same vendor: Apache

References