CVE-2026-8142 | THREATINT

Description

VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates.

PUBLISHED Reserved 2026-05-07 | Published 2026-05-07 | Updated 2026-05-08 | Assigner certcc

Problem types

CWE-345: Insufficient Verification of Data Authenticity

Product status

Any version

affected

Credits

Thanks to Guillem Lefait guillem@datamq.com for reporting the issue finder

References

kb.cert.org/vince

github.com/CERTCC/VINCE

cve.org (CVE-2026-8142)

nvd.nist.gov (CVE-2026-8142)

Download JSON