CVE-2026-29513

Name of the Vulnerable Software and Affected Versions Hereta ETH-IMC408M firmware versions prior to 1.0.15

Description The software contains a stored cross-site scripting issue that allows authenticated attackers to inject arbitrary JavaScript. The attack vector involves manipulating the Device Location field. Attackers can inject malicious scripts through the System Status interface. These scripts execute in the browsers of users viewing the status page because of a lack of input sanitation.

Recommendations Update to a version newer than 1.0.15.