VYPR
Vendor

Meari

Products
6
CVEs
5
Across products
11
Status
Private

Products

6

Recent CVEs

5
  • CVE-2026-33362HigMay 11, 2026
    risk 0.56cvss 8.6epss 0.00

    In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps <= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service…

  • CVE-2026-33356HigMay 11, 2026
    risk 0.50cvss 7.7epss 0.00

    In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent…

  • CVE-2026-33361HigMay 11, 2026
    risk 0.49cvss 7.5epss 0.00

    In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (<= 1.8.x), baby monitor ".jpgx3" files use reversible XOR over only the first 1024 bytes with a predictable key derivation model.

  • CVE-2026-33359HigMay 11, 2026
    risk 0.49cvss 7.5epss 0.00

    In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected…

  • CVE-2026-33357HigMay 11, 2026
    risk 0.49cvss 7.5epss 0.00

    In Meari client applications embedding "com.meari.sdk" (including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label <= 1.8.x), the integrated call path to openapi-euce.mearicloud.com can be abused to retrieve WAN IP data for arbitrary devices. The root…