PT-2026-44832 · Suprema+1 · Biostar 2+1

Published

2026-05-29

·

Updated

2026-05-29

·

CVE-2026-9508

CVSS v4.0

10

Critical

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
Name of the Vulnerable Software and Affected Versions Suprema BioStar 2 versions 2.9.3 through 2.9.11
Description Incorrect permission settings on a critical resource allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. An attacker with network access can directly download backup ZIP files via the endpoint 'http(s)://[server]/download/...' without authentication. This leads to the disclosure of sensitive information, which may enable server impersonation, unauthorized database access, and lateral movement within the network.
Recommendations For versions 2.9.3 through 2.9.11, ensure that backup paths are not configured within the NGINX webroot to prevent public exposure of backup files.

Fix

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9508

Affected Products

Biostar 2
Nginx