CVE-2026-6180

Name of the Vulnerable Software and Affected Versions PaperCut MF (affected versions not specified)

Description A race condition occurs when processing badge-swipe data from specific HP multifunction devices. Under certain network conditions involving dropped packets and out-of-order sequence counters, the server may incorrectly process fragmented data chunks. If a sequence reset notification fails to reach the server, the server might reject the initial data chunk but erroneously accept subsequent chunks before a connection reset is completed. This results in the registration of a truncated badge ID string. In environments using custom badge-ID post-processing scripts, this truncated string could be transformed into a valid ID of another user, allowing unauthorized session establishment.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.