CVE-2026-24443HIGH 8.8EPSS p36.5%

CVE-2026-24443CVE-2026-24443

Description

EventSentry versions prior to 6.0.1.20 contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.46% probability of exploitation · percentile 36.5% · 2026-06-18T12:00:27Z
Published2026-02-24
Last modified2026-02-26

Underlying weaknesses· 1

CWE-620

References

  1. https://www.eventsentry.com/downloads/version-history
  2. https://www.vulncheck.com/advisories/eventsentry-web-reports-unverified-password-change

1

TypeTargetConfidenceTier
WeaknessUnverified Password Changecwe-6200%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-64349
CVE
CVE-2026-42354
CVE
CVE-2025-54343
CVE
CVE-2026-42669
CVE
CVE-2025-54339
CVE
CVE-2025-48986
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.