CVE-2026-9039
Initialization of a resource with an insecure default in XCharge C6
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
A configuration weakness in the device’s remote management service allows an authenticated session to be established over a communication channel intended solely for vehicle-charger signaling. The service is accessible on interfaces exposed through the charging connector, and it accepts a default administrative credential. A malicious device physically connected to the charging interface could leverage this misconfiguration to obtain full administrative access.
| CWE | CWE-1188 |
| Vendor | xcharge |
| Product | c6 |
| Published | May 28, 2026 |
| Last Updated | May 29, 2026 |
Stay Ahead of the Next One
Get instant alerts for xcharge c6
Be the first to know when new unknown vulnerabilities affecting xcharge c6 are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
XCharge / C6
0 < May_22_2026
References
Credits
Lionel R. Saposnik of SaiFlow reported these vulnerabilities to CISA.