CVE-2026-29513

MEDIUM 5.4

Hereta ETH-IMC408M Stored XSS via Device Location

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

0th

Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a stored cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by manipulating the Device Location field. Attackers can inject malicious scripts through the System Status interface that execute in browsers of users viewing the status page without input sanitation.

CWE	CWE-79
Vendor	shenzhen hereta technology co., ltd.
Product	hereta eth-imc408m
Published	Mar 16, 2026
Last Updated	Mar 17, 2026

Stay Ahead of the Next One

Get instant alerts for shenzhen hereta technology co., ltd. hereta eth-imc408m

Be the first to know when new medium vulnerabilities affecting shenzhen hereta technology co., ltd. hereta eth-imc408m are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

Shenzhen Hereta Technology Co., Ltd. / Hereta ETH-IMC408M

0 ≤ 1.0.15

References

NVD ↗ CVE.org ↗ EPSS Data ↗

web.archive.org: https://web.archive.org/web/20250820105319/http://hereta.com/ vulncheck.com: https://www.vulncheck.com/advisories/hereta-eth-imc408m-stored-xss-via-device-location

Credits

Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc.