CVE-2026-3502

Undergoing Analysis
Published: 30 Mar 2026, 18:05
Last modified:03 Apr 2026, 03:55

Vulnerability Summary

Overall Risk (default)
medium
31/100
CVSS Score
7.8 HIGH
v3.1 (cve.org)
EPSS Score
<0.01% LOW
0% probability 0.00%
KEV
Listed
CISA
1 listing
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

30 Mar 2026, 18:05
Published
Vulnerability first disclosed
02 Apr 2026, 00:00
Added to CISA KEV
TrueConf Client Download of Code Without Integrity Check Vulnerability
03 Apr 2026, 03:55
Last Modified
Vulnerability information updated
16 Apr 2026, 00:00
CISA Remediation Due
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.

CVSS Metrics

  • v3.1HIGHScore: 7.8CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

EPSS Trends

Current EPSS score: 0.01% Percentile: 1%

Techniques & Countermeasures

  • CWE-494Download of Code Without Integrity Check

    The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

Affected Systems

  • trueconftrueconf client

    TrueConf Client versions 8.1.0 through 8.5.2

References (3)