CVE-2026-1997

moderate-risk

Published 2026-02-10

Certain HP OfficeJet Pro printers may expose information if Cross‑Origin Resource Sharing (CORS) is misconfigured, potentially allowing unauthorized web origins to access device resource. CORS is disabled by default on Pro‑class devices and can only be enabled by an administrator through the Embedded Web Server (EWS). Keeping CORS disabled unless explicitly required helps ensure that only trusted solutions can interact with the device.

Do I need to act?

0.01% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (20)

M9L65A Firmware

D9L20A Firmware

K7S32A Firmware

D9L21A Firmware

K7S42A Firmware

T0G65A Firmware

K7S39A Firmware

J6X83A Firmware

K7S43A Firmware

K7S40A Firmware

K7S41A Firmware

T0G56A Firmware

D9L63A Firmware

D9L64A Firmware

J3P65A Firmware

J3P66A Firmware

J3P67A Firmware

J3P68A Firmware

T0G70A Firmware

G5J38A Firmware

Affected Vendors

References (1)

Vendor Advisory https://support.hp.com/us-en/document/ish_14051823-14051849-16/hpsbpi04086

/ 100

moderate-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 24/34 · High