These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-40461 is a high-severity integrity issue affecting Anviz CX2 Lite and CX7 products. According to CISA, unauthenticated POST requests can modify debug settings such as enabling SSH, creating unauthorized state changes that may enable later compromise. CISA also notes Anviz did not respond to coordination attempts.
CVE-2026-40434 is a CISA-published advisory for Anviz multiple products, with the described issue centered on CrossChex Standard. The flaw is a lack of source verification in the client/server channel, which can let an attacker on the same network inject TCP packets and alter or disrupt application traffic. The result is a high-impact integrity and availability risk, especially in environments where the p [truncated]
CVE-2026-40066 affects Anviz CX2 Lite and CX7 devices. According to CISA’s advisory, an attacker can upload an unverified update package that the device unpacks and executes as a script, leading to unauthenticated remote code execution. The advisory was published on 2026-04-16 and assigns a CVSS 3.1 score of 8.8 (HIGH).
CVE-2026-35682 is a high-severity issue disclosed by CISA on 2026-04-16 for Anviz products, with the supplied vulnerability description specifically naming CX2 Lite. The advisory says an authenticated command injection in a filename parameter can lead to arbitrary command execution, including starting telnetd, and result in root-level access. CISA also notes Anviz did not respond to coordination attempts, [truncated]
CVE-2026-35546 is a critical unauthenticated firmware-upload vulnerability affecting Anviz CX2 Lite and CX7. According to the CISA advisory, crafted archives can be accepted by the device, allowing an attacker to plant and execute code and obtain a reverse shell. The advisory was published on 2026-04-16 and rates the issue CVSS 9.8 (Critical).
CVE-2026-35061 is a medium-severity information disclosure issue reported by CISA for Anviz products, with the specific described impact on CX7 firmware: the most recently captured test photo can be retrieved without authentication. That can expose sensitive operational imagery. CISA published the advisory on 2026-04-16 and noted that Anviz did not respond to coordination attempts.
CVE-2026-33569 is a cleartext management exposure affecting Anviz CX2 Lite and CX7 products. CISA says administrative sessions occur over HTTP, allowing an on-path attacker to sniff credentials and session data and potentially compromise the device. The advisory was published on 2026-04-16 and notes that Anviz did not respond to CISA's coordination attempts.
CVE-2026-33093 is a medium-severity information exposure issue reported by CISA for Anviz products. The advisory says CX7 can accept an unauthenticated POST that triggers a photo capture from the device’s front-facing camera, which can reveal visual information about the deployment environment. CISA published the advisory on 2026-04-16 and notes that Anviz did not respond to coordination attempts.
CVE-2026-32650 is a high-severity credential exposure issue in Anviz CrossChex Standard. According to the CISA advisory, an attacker can manipulate the TDS7 PreLogin flow to disable encryption, which can send database credentials in plaintext and enable unauthorized database access. The supplied source does not indicate integrity or availability impact, but it does show a direct confidentiality risk to co [truncated]
CVE-2026-32648 is an unauthenticated information-disclosure issue in Anviz CX2 Lite and CX7. According to CISA’s advisory, affected devices can reveal debug configuration details such as SSH/RTTY status, which can help an attacker map the device and plan follow-on activity. The issue is rated CVSS 3.1 5.3 (Medium) and is most concerning where devices are reachable from untrusted networks or broadly expose [truncated]
CISA published ICSA-26-106-03 on 2026-04-16 for CVE-2026-32324, affecting Anviz CX2 Lite Firmware, CX7 Firmware, and CrossChex Standard. The advisory says the application embeds reusable certificate/key material, which can enable decryption of MQTT traffic and potential interaction with device messaging channels at scale. CISA rates the issue HIGH with a CVSS 3.1 score of 7.7.
CISA's advisory for CVE-2026-31927 describes an authenticated CSV upload flaw in Anviz CX7 that can be abused for path traversal and arbitrary file overwrite, including sensitive files such as /etc/shadow. The advisory notes that this can enable unauthorized SSH access when combined with debug-setting changes. The source record also lists Anviz CX2 Lite Firmware and CrossChex Standard in the product scope [truncated]