CVE-2026-41446 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: April 29, 2026
Snap One WattBox - Command Injection
Published: April 28, 2026Updated: April 29, 2026Remote Exploitable
Overview
Snap One WattBox 800 and 820 series firmware < 2.10.0.0 contain a command injection caused by undisclosed diagnostic HTTP endpoints requiring only device MAC address and service tag for authentication, letting attackers execute arbitrary commands as root, exploit requires physical access to device label.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Attackers with device label access can execute arbitrary commands as root, leading to full device compromise.
Mitigation
Update to firmware version 2.10.0.0 or later.
Related Resources
Details
- CVE ID
- CVE-2026-41446
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- command_injection
- Status
- new
CWE
- CWE-798
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H