CVE-2026-23819 | THREATINT

Description

A vulnerability in the web-based management interface of Access Points running AOS-10 and AOS-8 Instant could allow an unauthenticated remote attacker to execute arbitrary JavaScript code in a victim's browser within the same local network. Successful exploitation could allow an attacker to compromise user data and potentially manipulate device configuration settings.

PUBLISHED Reserved 2026-01-16 | Published 2026-05-12 | Updated 2026-05-12 | Assigner hpe

HIGH: 8.8CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Product status

Default status

affected

10.8.0.0 (semver)

affected

10.7.0.0 (semver)

affected

10.4.0.0 (semver)

affected

8.13.0.0 (semver)

affected

8.12.0.0 (semver)

affected

8.10.0.0 (semver)

affected

Credits

Michael Messner reporter

Benedikt Kuehne reporter

Caio Adler Goncalves Farias reporter

Siemens Energy sponsor

References

support.hpe.com/...y?docId=hpesbnw05049en_us&docLocale=en_US

cve.org (CVE-2026-23819)

nvd.nist.gov (CVE-2026-23819)

Download JSON