PT-2026-25836 · Chargepoint · Chargepoint Home Flex

Published

2026-03-16

Updated

2026-04-21

CVE-2026-4157

CVSS v3.1

7.5

High

Vector

AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ChargePoint Home Flex (affected versions not specified)

Description A severe issue exists in ChargePoint Home Flex that allows for remote code execution via command injection in the revssh service. This was discovered during the Pwn2Own competition and credited to Viettel Cyber Security. The vulnerability has a CVSS score of 7.5.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

RCE

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2026-4157

ZDI-26-197

Affected Products

Chargepoint Home Flex

PT-2026-25836 · Chargepoint · Chargepoint Home Flex

CVE-2026-4157

Weakness Enumeration

Related Identifiers

Affected Products

References · 6