Cyber Resilience

CVE-2026-26234

HighPublic PoC

Published: 12 February 2026

Published
12 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0050 38.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26234 is a high-severity Improper Neutralization of HTTP Headers for Scripting Syntax (CWE-644) vulnerability in Jung-Group Smart Visu Server Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-26234 affects JUNG Smart Visu Server version 1.1.1050 and involves a request header manipulation vulnerability. The flaw enables unauthenticated attackers to override request URLs by injecting arbitrary values into the X-Forwarded-Host header. This improper neutralization of HTTP headers for scripting syntax, mapped to CWE-644, carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on 2026-02-12.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no required privileges, though it necessitates user interaction. By manipulating proxied requests, they generate tainted responses that enable cache poisoning, potential phishing attacks, and redirection of users to malicious domains, resulting in high impacts to confidentiality, integrity, and availability.

Advisories from VulnCheck (https://www.vulncheck.com/advisories/jung-smart-visu-server-improper-neutralization-of-http-headers-for-scripting-syntax) and Zero Science (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5970.php) provide additional details on the vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

JUNG Smart Visu Server 1.1.1050 contains a request header manipulation vulnerability that allows unauthenticated attackers to override request URLs by injecting arbitrary values in the X-Forwarded-Host header. Attackers can manipulate proxied requests to generate tainted responses, enabling cache poisoning, potential…

more

phishing, and redirecting users to malicious domains.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Why these techniques?

Vuln in public-facing server directly enables T1190 exploitation; cache poisoning + malicious redirects facilitate T1189 drive-by compromise on visitors.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26235Same product: Jung-Group Smart Visu Server
CVE-2026-26368Same vendor: Jung-Group
CVE-2025-64425Shared CWE-644
CVE-2026-26366Same vendor: Jung-Group
CVE-2026-26369Same vendor: Jung-Group
CVE-2026-33149Shared CWE-644
CVE-2026-26367Same vendor: Jung-Group
CVE-2025-70948Shared CWE-644
CVE-2026-26747Shared CWE-644
CVE-2025-52660Shared CWE-644

Affected Assets

jung-group
smart visu server firmware
1.0.830 — 1.1.1050

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of information inputs including HTTP headers, directly preventing injection of arbitrary values into the X-Forwarded-Host header.

preventdetect

SC-7 enforces boundary protection at external interfaces, enabling inspection and blocking of manipulated request headers by web application firewalls or proxies.

prevent

CM-6 mandates secure configuration settings that can restrict or ignore untrusted proxy headers like X-Forwarded-Host to mitigate manipulation vulnerabilities.

References