← back
CVE-2026-29513

Hereta ETH-IMC408M Stored XSS via Device Location

CVSS 5.1 MEDIUMEPSS 0.1%CWE-79
Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a stored cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by manipulating the Device Location field. Attackers can inject malicious scripts through the System Status interface that execute in browsers of users viewing the status page without input sanitation.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Affected products
Shenzhen Hereta Technology Co., Ltd. · Hereta ETH-IMC408M

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://web.archive.org/web/20250820105319/http://hereta.com/https://www.vulncheck.com/advisories/hereta-eth-imc408m-stored-xss-via-device-location