CVE-2026-20894

Vulnerability

Overview

CVE-2026-20894 is a cross-site scripting (XSS) vulnerability affecting multiple models in the TOA Corporation TRIFORA 3 series of network cameras. The flaw resides in the camera's configuration interface, where an attacking administrator can inject malicious input that is not properly sanitized. When a victim administrator accesses the affected settings screen, the injected script executes in their browser session [1].

Exploitation and

Attack Surface

Exploitation requires the attacker to already possess administrative privileges on the camera. The attack is performed by configuring the device with crafted input, which is then stored and later rendered to other administrators. The CVSS v3.1 base score is 4.8 (Medium), with the vector AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating network-based on the reference that the attack is network-exploitable, requires high privileges, and depends on user interaction [1].

Impact

A successful attack allows an attacker to execute arbitrary scripts in the context of the victim administrator's web browser. This can lead to session hijacking, defacement of the settings interface, or theft of sensitive information displayed on the screen. The impact is limited to the browser session and does not directly compromise the camera's OS or data [1].

Mitigation

TOA Corporation has released software updates to address this vulnerability. Users are advised to update their TRIFORA 3 series cameras to the latest firmware version as specified in the vendor's advisory. No workarounds are documented, and the vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].