CVE-2026-26342

UNKNOWN 0.0

Tattile Smart+ / Vega / Basic <= 1.181.5 Insufficient Session Token Expiration

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior implement an authentication token (X-User-Token) with insufficient expiration. An attacker who obtains a valid token (for example via interception, log exposure, or token reuse on a shared system) can continue to authenticate to the management interface until the token is revoked, enabling unauthorized access to device functions and data.

CWE	CWE-613
Vendor	tattile s.r.l.
Product	smart+
Published	Feb 24, 2026
Last Updated	Mar 5, 2026

Stay Ahead of the Next One

Get instant alerts for tattile s.r.l. smart+

Be the first to know when new unknown vulnerabilities affecting tattile s.r.l. smart+ are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Tattile s.r.l. / Smart+

0 ≤ 1.181.5

Tattile s.r.l. / Tolling+

0 ≤ 1.181.5

Tattile s.r.l. / Smart+ Speed

0 ≤ 1.181.5

Tattile s.r.l. / Smart+ Traffic Light

0 ≤ 1.181.5

Tattile s.r.l. / Axle Counter

0 ≤ 1.181.5

Tattile s.r.l. / Vega53

0 ≤ 1.181.5

Tattile s.r.l. / Vega33

0 ≤ 1.181.5

Tattile s.r.l. / Vega11

0 ≤ 1.181.5

Tattile s.r.l. / Basic MK2

0 ≤ 1.181.5

Tattile s.r.l. / ANPR Mobile

0 ≤ 1.181.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

zeroscience.mk: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5976.php tattile.com: https://www.tattile.com/ vulncheck.com: https://www.vulncheck.com/advisories/tattile-smart-vega-basic-insufficient-session-token-expiration

Credits

Gjoko Krstic of Zero Science Lab