CVE-2026-9508

UNKNOWN 0.0

Incorrect Permission Assignment for Critical Resource vulnerability in Suprema's BioStar

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly download backup ZIP files via ‘http(s)://[server]/download/…’ without requiring authentication. This exposes highly sensitive information that can lead to server impersonation, unauthorized access to databases, and lateral movement.

CWE	CWE-732
Vendor	suprema
Product	biostar 2 (server)
Published	May 29, 2026
Last Updated	May 29, 2026

Stay Ahead of the Next One

Get instant alerts for suprema biostar 2 (server)

Be the first to know when new unknown vulnerabilities affecting suprema biostar 2 (server) are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Suprema / BioStar 2 (server)

v2.9.3 ≤ v2.9.11

References

NVD ↗ CVE.org ↗ EPSS Data ↗

incibe.es: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-supremas-biostar

Credits

Jordi Garcia Ribera