## Summary CVE-2026-9509 is a HIGH severity (CVSS 8.7) unhandled exception vulnerability in Suprema BioStar 2 Server versions 2.9.8, 2.9.10, and 2.9.11. An unauthenticated remote attacker can cause a denial of service (DoS) by sending HTTP POST requests to the `/api/migration` endpoint, which triggers a failure halting critical processes. The system remains offline until manual restart, disabling access c [truncated]
## Summary CVE-2026-9508 is a **critical** vulnerability (CVSS 4.0: 10.0) in Suprema BioStar 2 (versions 2.9.3–2.9.11) caused by incorrect permission settings on backup files. When an administrator configures the backup path within the NGINX webroot, backup ZIP files become publicly accessible via unauthenticated HTTP(S) requests to `/download/…`. This exposes highly sensitive data enabling server imperso [truncated]
