VYPR
Vendor

ST Engineering IDirect

Products
2
CVEs
2
Across products
3
Status
Private

Products

2

Recent CVEs

2
  • CVE-2026-38057higJul 2, 2026
    risk 0.53cvss 8.1epss

    The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication. The /api/reboot endpoint accepts POST requests authenticated solely by a session cookie that lacks the SameSite attribute. A remote attacker can host a malicious web page that,…

  • CVE-2026-38059higJul 2, 2026
    risk 0.49cvss 7.5epss

    The iDirect iQ200 exposes the /api/identity and /api/ REST API endpoints without authentication. An unauthenticated attacker with network access can retrieve sensitive device information including the serial number, Device ID (DID), Terminal Private Key identifier (TPK), MAC…