CVE-2026-26234

HighPublic PoC

Published: 12 February 2026

Published

12 February 2026

Modified

20 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0004 13.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26234 is a high-severity Improper Neutralization of HTTP Headers for Scripting Syntax (CWE-644) vulnerability in Jung-Group Smart Visu Server Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of information inputs including HTTP headers, directly preventing injection of arbitrary values into the X-Forwarded-Host header.

SC-7 Boundary Protection good match

preventdetect

SC-7 enforces boundary protection at external interfaces, enabling inspection and blocking of manipulated request headers by web application firewalls or proxies.

CM-6 Configuration Settings partial match

prevent

CM-6 mandates secure configuration settings that can restrict or ignore untrusted proxy headers like X-Forwarded-Host to mitigate manipulation vulnerabilities.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

Why these techniques?

Vuln in public-facing server directly enables T1190 exploitation; cache poisoning + malicious redirects facilitate T1189 drive-by compromise on visitors.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

JUNG Smart Visu Server 1.1.1050 contains a request header manipulation vulnerability that allows unauthenticated attackers to override request URLs by injecting arbitrary values in the X-Forwarded-Host header. Attackers can manipulate proxied requests to generate tainted responses, enabling cache poisoning, potential…

phishing, and redirecting users to malicious domains.

Deeper analysisAI

CVE-2026-26234 affects JUNG Smart Visu Server version 1.1.1050 and involves a request header manipulation vulnerability. The flaw enables unauthenticated attackers to override request URLs by injecting arbitrary values into the X-Forwarded-Host header. This improper neutralization of HTTP headers for scripting syntax, mapped to CWE-644, carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on 2026-02-12.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no required privileges, though it necessitates user interaction. By manipulating proxied requests, they generate tainted responses that enable cache poisoning, potential phishing attacks, and redirection of users to malicious domains, resulting in high impacts to confidentiality, integrity, and availability.

Advisories from VulnCheck (https://www.vulncheck.com/advisories/jung-smart-visu-server-improper-neutralization-of-http-headers-for-scripting-syntax) and Zero Science (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5970.php) provide additional details on the vulnerability.