VYPR

iQ-Series Terminals

by ST Engineering IDirect

CVEs (2)

  • CVE-2026-38057higJul 2, 2026
    risk 0.53cvss 8.1epss

    The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication. The /api/reboot endpoint accepts POST requests authenticated solely by a session cookie that lacks the SameSite attribute. A remote attacker can host a malicious web page that,…

  • CVE-2026-38059higJul 2, 2026
    risk 0.49cvss 7.5epss

    The iDirect iQ200 exposes the /api/identity and /api/ REST API endpoints without authentication. An unauthenticated attacker with network access can retrieve sensitive device information including the serial number, Device ID (DID), Terminal Private Key identifier (TPK), MAC…