CVE-2026-22313

CRITICAL 9.1

OS Commands Executed with Administrative Permissions in Radiflow iSAP Smart Collector

CVSS Score

9.1

EPSS Score

0.0%

EPSS Percentile

0th

The device has a webserver that exposes a REST API authenticated with a token on the management network. By exploiting an OS command injection vulnerability an authenticated attacker can send arbitrary commands to the device that are executed with administrative permissions by the underlying operating system.

CWE	CWE-78
Vendor	radiflow
Product	isap smart collector
Published	Jun 16, 2026
Last Updated	Jun 16, 2026

Stay Ahead of the Next One

Get instant alerts for radiflow isap smart collector

Be the first to know when new critical vulnerabilities affecting radiflow isap smart collector are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Radiflow / iSAP Smart Collector

3.07-1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cvcn.gov.it: https://www.cvcn.gov.it/cvcn/cve/CVE-2026-22313