CVE-2026-24443 | THREATINT

Description

EventSentry versions prior to 6.0.1.20 contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation.

PUBLISHED Reserved 2026-01-22 | Published 2026-02-24 | Updated 2026-02-24 | Assigner VulnCheck

HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-620 Unverified Password Change

Product status

Default status

unaffected

Any version before 6.0.1.20

affected

Credits

Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc. finder

VulnCheck coordinator

References

www.eventsentry.com/downloads/version-history release-notes patch

www.vulncheck.com/...-web-reports-unverified-password-change third-party-advisory

cve.org (CVE-2026-24443)

nvd.nist.gov (CVE-2026-24443)

Download JSON