VYPR

iQ200

by ST Engineering IDirect

CVEs (1)

  • CVE-2026-38057higJul 2, 2026
    risk 0.53cvss 8.1epss

    The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication. The /api/reboot endpoint accepts POST requests authenticated solely by a session cookie that lacks the SameSite attribute. A remote attacker can host a malicious web page that,…