LeakyCreds
NewInstant webhook alerts now available — notified within seconds of any credential detection.Learn more →
Home / Vulnerability Intelligence / CVE-2026-35546

CVE-2026-35546 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 17, 2026

Anviz CX2 Lite & CX7 - Unrestricted File Upload

Published: April 17, 2026Updated: April 17, 2026Remote Exploitable

Overview

Anviz CX2 Lite and CX7 contain an unrestricted file upload vulnerability caused by acceptance of crafted firmware archives, letting unauthenticated attackers execute code and obtain a reverse shell.

Severity & Score

Severity: Critical
CVSS Score: 9.8
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can upload malicious firmware to execute code and gain remote shell access, leading to full system compromise.

Mitigation

Update to the latest firmware version provided by Anviz.

References

Social Media Activity(2 posts)

OffSequence
OffSequence
@offseq
Apr 17, 2026

⚠️ CRITICAL: Anviz CX7 & CX2 Lite firmware vuln (CVE-2026-35546) allows unauthenticated uploads — attackers can execute code & gain reverse shell. All versions affected. No mitigation yet. https://radar.offseq.com/threat/cve-2026-35546-cwe-306-in-anviz-anviz-cx7-firmware-147e04a2 #OffSeq #IoTSecurity #vulnerability

View original post
OffSequence
OffSequence
@offseq
Apr 17, 2026

⚠️ CRITICAL: Anviz CX7 & CX2 Lite firmware vuln (CVE-2026-35546) allows unauthenticated uploads — attackers can execute code & gain reverse shell. All versions affected. No mitigation yet. https://radar.offseq.com/threat/cve-2026-35546-cwe-306-in-anviz-anviz-cx7-firmware-147e04a2 #OffSeq #IoTSecurity #vulnerability

View original post

Related Resources

Details

CVE ID
CVE-2026-35546
Severity
Critical
CVSS Score
9.8
Type
unrestricted_file_upload
Status
new
EPSS
0.0%
Social Posts
2

CWE

  • CWE-306

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.0%Probability of exploitation in the next 30 days