CVE-2026-26342

moderate-risk

Published 2026-02-24

Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior implement an authentication token (X-User-Token) with insufficient expiration. An attacker who obtains a valid token (for example via interception, log exposure, or token reuse on a shared system) can continue to authenticate to the management interface until the token is revoked, enabling unauthorized access to device functions and data.

Do I need to act?

0.35% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (10)

Smart\+ Firmware

Tolling\+ Firmware

Smart\+ Speed Firmware

Smart\+ Traffic Light Firmware

Axle Counter Firmware

Vega53 Firmware

Vega33 Firmware

Vega11 Firmware

Basic Mk2 Firmware

Anpr Mobile Firmware

Affected Vendors

Tattile

References (3)

Product https://www.tattile.com/

VDB Entry https://www.vulncheck.com/advisories/tattile-smart-vega-basic-insufficient-sessi...

Vendor Advisory https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5976.php

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 1/34 · Minimal

Exposure 16/34 · Moderate