Home

Description

Sustainable Irrigation Platform (SIP) through version 5.2.16 contains a cross-site request forgery vulnerability that allows remote attackers to perform state-changing administrative actions by luring a logged-in administrator into visiting a malicious page that issues HTTP GET requests without CSRF token validation or origin verification. Attackers can trigger actions such as disabling the passphrase, rebooting the device, deleting programs, or installing plugins, with the default configuration exposing these endpoints to unauthenticated users due to no required passphrase and a default credential of 'opendoor'.

PUBLISHED Reserved 2026-06-30 | Published 2026-07-14 | Updated 2026-07-14 | Assigner VulnCheck




HIGH: 7.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Problem types

Cross-Site Request Forgery (CSRF)

Product status

Default status
affected

Any version
affected

Credits

Anja Ivanovska of Zero Science Lab finder

References

www.zeroscience.mk/ (Zero Science Lab Advisory (ZSL-2026-5995)) technical-description exploit

www.vulncheck.com/...rm-csrf-via-administrative-get-requests third-party-advisory

cve.org (CVE-2026-58476)

nvd.nist.gov (CVE-2026-58476)

Download JSON