CVE-2026-33359

HIGH 7.5

Meari unauthenticated alert image access in cloud object storage

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows.

CWE	CWE-862
Vendor	meari
Product	alibaba oss hosted
Published	May 11, 2026
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for meari alibaba oss hosted

Be the first to know when new high vulnerabilities affecting meari alibaba oss hosted are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

Meari / Alibaba OSS Hosted

April, 2026

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/xn0tsa/nobody-puts-baby-in-a-corner runzero.com: https://www.runzero.com/advisories/meari-unauthenticated-alert-image-access-in-cloud-object-storage-cve-2026-33359/

Credits

Sammy Azdoufal Tod Beardsley of runZero, Inc.