PatchSiren cyber security CVE debrief
CVE-2026-2752 Navtor CVE debrief
CVE-2026-2752 is a medium-severity vulnerability in Navtor NavBox that allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticated attacker can send crafted requests to trigger an unhandled exception, causing the server to return verbose .NET stack traces. These error messages expose internal class names, method calls, and third-party library references (e.g., System.Data.SQLite), which may assist attackers in mapping the application's internal structure.
- Vendor
- Navtor
- Product
- NavBox
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-06
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-03-06
- Advisory updated
- 2026-06-15
Who should care
Users of Navtor NavBox, particularly those using version 4.12.0.3 or earlier, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 5.3 and is classified as CWE-209. It affects Navtor NavBox firmware versions prior to 4.16.2.4, specifically version 4.12.0.3.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to a patched version of Navtor NavBox (4.16.2.4 or later).
- Review and restrict access to the /api/ais-data endpoint.
- Monitor for suspicious activity and error messages.
Evidence notes
The CVE record and NVD detail pages provide additional information on this vulnerability.
Official resources
-
CVE-2026-2752 CVE record
CVE.org
-
CVE-2026-2752 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
56a186b1-7f5e-4314-ba38-38d5499fccfd - Third Party Advisory
-
Mitigation or vendor reference
56a186b1-7f5e-4314-ba38-38d5499fccfd - Vendor Advisory
CVE-2026-2752 was published on 2026-03-06T15:16:10.987Z and modified on 2026-06-15T17:15:18.200Z.