[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-9508":6},{"stargazers_count":4,"fetched_at":5},6,"2026-05-29T13:18:49.423Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":548,"aliases":549,"duplicate_of":9,"upstream":550,"downstream":551,"duplicates":552,"related":553,"reserved_at":9,"published_at":554,"modified_at":555,"state":556,"summary":557,"references_raw":564,"kevs":571,"epss":9,"epss_history":572,"metrics":573,"affected":580},"CVE-2026-9508","Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly download backup ZIP files via ‘http(s)://[server]/download/…’ without requiring authentication. This exposes highly sensitive information that can lead to server impersonation, unauthorized access to databases, and lateral movement.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-732","Incorrect Permission Assignment for Critical Resource","The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.","weakness","Draft","Class","High",[20,68,222,256,298,320,333,337,498,502,506],{"id":21,"name":22,"techniques":23},"CAPEC-1","Accessing Functionality Not Properly Constrained by ACLs",[24],{"id":25,"name":26,"tactics":27,"countermeasures":43},"T1574.010","Services File Permissions Weakness",[28,31,34,37,40],{"id":29,"name":30},"TA0110","Persistence",{"id":32,"name":33},"TA0111","Privilege Escalation",{"id":35,"name":36},"TA0030","Defense Evasion",{"id":38,"name":39},"TA0005","Stealth",{"id":41,"name":42},"TA0104","Execution",[44,49,53,58,63],{"id":45,"name":46,"tactic":47},"D3-SWI","Software Inventory",{"name":48},"Model",{"id":50,"name":51,"tactic":52},"D3-AVE","Asset Vulnerability Enumeration",{"name":48},{"id":54,"name":55,"tactic":56},"D3-SBV","Service Binary Verification",{"name":57},"Detect",{"id":59,"name":60,"tactic":61},"D3-SU","Software Update",{"name":62},"Harden",{"id":64,"name":65,"tactic":66},"D3-RS","Restore Software",{"name":67},"Restore",{"id":69,"name":70,"techniques":71},"CAPEC-122","Privilege Abuse",[72],{"id":73,"name":74,"tactics":75,"countermeasures":78},"T1548","Abuse Elevation Control Mechanism",[76,77],{"id":35,"name":36},{"id":32,"name":33},[79,83,87,91,95,99,103,107,111,115,119,123,127,131,136,140,145,149,153,157,161,165,169,173,177,181,186,190,194,198,202,206,210,214,218],{"id":80,"name":81,"tactic":82},"D3-CI","Configuration Inventory",{"name":48},{"id":84,"name":85,"tactic":86},"D3-AM","Access Modeling",{"name":48},{"id":88,"name":89,"tactic":90},"D3-DI","Data Inventory",{"name":48},{"id":92,"name":93,"tactic":94},"D3-NTPM","Network Traffic Policy Mapping",{"name":48},{"id":96,"name":97,"tactic":98},"D3-AEM","Application Exception Monitoring",{"name":57},{"id":100,"name":101,"tactic":102},"D3-SCA","System Call Analysis",{"name":57},{"id":104,"name":105,"tactic":106},"D3-SFA","System File Analysis",{"name":57},{"id":108,"name":109,"tactic":110},"D3-FA","File Analysis",{"name":57},{"id":112,"name":113,"tactic":114},"D3-FIM","File Integrity Monitoring",{"name":57},{"id":116,"name":117,"tactic":118},"D3-OPM","Operational Process Monitoring",{"name":57},{"id":120,"name":121,"tactic":122},"D3-DA","Dynamic Analysis",{"name":57},{"id":124,"name":125,"tactic":126},"D3-EFA","Emulated File Analysis",{"name":57},{"id":128,"name":129,"tactic":130},"D3-PSA","Process Spawn Analysis",{"name":57},{"id":132,"name":133,"tactic":134},"D3-FEV","File Eviction",{"name":135},"Evict",{"id":137,"name":138,"tactic":139},"D3-AL","Account Locking",{"name":135},{"id":141,"name":142,"tactic":143},"D3-DF","Decoy File",{"name":144},"Deceive",{"id":146,"name":147,"tactic":148},"D3-FE","File Encryption",{"name":62},{"id":150,"name":151,"tactic":152},"D3-AA","Agent Authentication",{"name":62},{"id":154,"name":155,"tactic":156},"D3-CDP","Change Default Password",{"name":62},{"id":158,"name":159,"tactic":160},"D3-SCP","System Configuration Permissions",{"name":62},{"id":162,"name":163,"tactic":164},"D3-RC","Restore Configuration",{"name":67},{"id":166,"name":167,"tactic":168},"D3-RF","Restore File",{"name":67},{"id":170,"name":171,"tactic":172},"D3-ULA","Unlock Account",{"name":67},{"id":174,"name":175,"tactic":176},"D3-RUAA","Restore User Account Access",{"name":67},{"id":178,"name":179,"tactic":180},"D3-RD","Restore Database",{"name":67},{"id":182,"name":183,"tactic":184},"D3-SCF","System Call Filtering",{"name":185},"Isolate",{"id":187,"name":188,"tactic":189},"D3-CF","Content Filtering",{"name":185},{"id":191,"name":192,"tactic":193},"D3-LFP","Local File Permissions",{"name":185},{"id":195,"name":196,"tactic":197},"D3-RFAM","Remote File Access Mediation",{"name":185},{"id":199,"name":200,"tactic":201},"D3-CQ","Content Quarantine",{"name":185},{"id":203,"name":204,"tactic":205},"D3-CM","Content Modification",{"name":185},{"id":207,"name":208,"tactic":209},"D3-UAP","User Account Permissions",{"name":185},{"id":211,"name":212,"tactic":213},"D3-EAL","Executable Allowlisting",{"name":185},{"id":215,"name":216,"tactic":217},"D3-EDL","Executable Denylisting",{"name":185},{"id":219,"name":220,"tactic":221},"D3-HBPI","Hardware-based Process Isolation",{"name":185},{"id":223,"name":224,"techniques":225},"CAPEC-127","Directory Indexing",[226],{"id":227,"name":228,"tactics":229,"countermeasures":233},"T1083","File and Directory Discovery",[230],{"id":231,"name":232},"TA0102","Discovery",[234,236,238,240,242,244,246,248,250,252,254],{"id":108,"name":109,"tactic":235},{"name":57},{"id":112,"name":113,"tactic":237},{"name":57},{"id":132,"name":133,"tactic":239},{"name":135},{"id":141,"name":142,"tactic":241},{"name":144},{"id":146,"name":147,"tactic":243},{"name":62},{"id":166,"name":167,"tactic":245},{"name":67},{"id":191,"name":192,"tactic":247},{"name":185},{"id":187,"name":188,"tactic":249},{"name":185},{"id":195,"name":196,"tactic":251},{"name":185},{"id":199,"name":200,"tactic":253},{"name":185},{"id":203,"name":204,"tactic":255},{"name":185},{"id":257,"name":258,"techniques":259},"CAPEC-17","Using Malicious Files",[260,280],{"id":261,"name":262,"tactics":263,"countermeasures":269},"T1574.005","Executable Installer File Permissions Weakness",[264,265,266,267,268],{"id":29,"name":30},{"id":32,"name":33},{"id":35,"name":36},{"id":38,"name":39},{"id":41,"name":42},[270,272,274,276,278],{"id":45,"name":46,"tactic":271},{"name":48},{"id":50,"name":51,"tactic":273},{"name":48},{"id":54,"name":55,"tactic":275},{"name":57},{"id":59,"name":60,"tactic":277},{"name":62},{"id":64,"name":65,"tactic":279},{"name":67},{"id":25,"name":26,"tactics":281,"countermeasures":287},[282,283,284,285,286],{"id":29,"name":30},{"id":32,"name":33},{"id":35,"name":36},{"id":38,"name":39},{"id":41,"name":42},[288,290,292,294,296],{"id":45,"name":46,"tactic":289},{"name":48},{"id":50,"name":51,"tactic":291},{"name":48},{"id":54,"name":55,"tactic":293},{"name":57},{"id":59,"name":60,"tactic":295},{"name":62},{"id":64,"name":65,"tactic":297},{"name":67},{"id":299,"name":300,"techniques":301},"CAPEC-180","Exploiting Incorrectly Configured Access Control Security Levels",[302],{"id":25,"name":26,"tactics":303,"countermeasures":309},[304,305,306,307,308],{"id":29,"name":30},{"id":32,"name":33},{"id":35,"name":36},{"id":38,"name":39},{"id":41,"name":42},[310,312,314,316,318],{"id":45,"name":46,"tactic":311},{"name":48},{"id":50,"name":51,"tactic":313},{"name":48},{"id":54,"name":55,"tactic":315},{"name":57},{"id":59,"name":60,"tactic":317},{"name":62},{"id":64,"name":65,"tactic":319},{"name":67},{"id":321,"name":322,"techniques":323},"CAPEC-206","Signing Malicious Code",[324],{"id":325,"name":326,"tactics":327,"countermeasures":332},"T1553.002","Code Signing",[328,329],{"id":35,"name":36},{"id":330,"name":331},"TA0112","Defense Impairment",[],{"id":334,"name":335,"techniques":336},"CAPEC-234","Hijacking a privileged process",[],{"id":338,"name":339,"techniques":340},"CAPEC-60","Reusing Session IDs (aka Session Replay)",[341,393],{"id":342,"name":343,"tactics":344,"countermeasures":348},"T1134.001","Token Impersonation/Theft",[345,346,347],{"id":35,"name":36},{"id":38,"name":39},{"id":32,"name":33},[349,353,357,361,365,369,373,377,381,385,389],{"id":350,"name":351,"tactic":352},"D3-CCSA","Credential Compromise Scope Analysis",{"name":57},{"id":354,"name":355,"tactic":356},"D3-CR","Credential Revocation",{"name":135},{"id":358,"name":359,"tactic":360},"D3-ANCI","Authentication Cache Invalidation",{"name":135},{"id":362,"name":363,"tactic":364},"D3-DUC","Decoy User Credential",{"name":144},{"id":366,"name":367,"tactic":368},"D3-CH","Credential Hardening",{"name":62},{"id":370,"name":371,"tactic":372},"D3-MFA","Multi-factor Authentication",{"name":62},{"id":374,"name":375,"tactic":376},"D3-CRO","Credential Rotation",{"name":62},{"id":378,"name":379,"tactic":380},"D3-TB","Token Binding",{"name":62},{"id":382,"name":383,"tactic":384},"D3-TBA","Token-based Authentication",{"name":62},{"id":386,"name":387,"tactic":388},"D3-RIC","Reissue Credential",{"name":67},{"id":390,"name":391,"tactic":392},"D3-CTS","Credential Transmission Scoping",{"name":185},{"id":394,"name":395,"tactics":396,"countermeasures":401},"T1550.004","Web Session Cookie",[397,398],{"id":35,"name":36},{"id":399,"name":400},"TA0109","Lateral Movement",[402,406,410,414,418,422,426,430,434,438,442,444,446,450,454,458,462,464,466,468,470,472,474,476,480,484,486,488,492,496],{"id":403,"name":404,"tactic":405},"D3-UGLPA","User Geolocation Logon Pattern Analysis",{"name":57},{"id":407,"name":408,"tactic":409},"D3-PMAD","Protocol Metadata Anomaly Detection",{"name":57},{"id":411,"name":412,"tactic":413},"D3-CSPP","Client-server Payload Profiling",{"name":57},{"id":415,"name":416,"tactic":417},"D3-PHDURA","Per Host Download-Upload Ratio Analysis",{"name":57},{"id":419,"name":420,"tactic":421},"D3-NTSA","Network Traffic Signature Analysis",{"name":57},{"id":423,"name":424,"tactic":425},"D3-APCA","Application Protocol Command Analysis",{"name":57},{"id":427,"name":428,"tactic":429},"D3-NTCD","Network Traffic Community Deviation",{"name":57},{"id":431,"name":432,"tactic":433},"D3-RTSD","Remote Terminal Session Detection",{"name":57},{"id":435,"name":436,"tactic":437},"D3-PLA","Process Lineage Analysis",{"name":57},{"id":439,"name":440,"tactic":441},"D3-PSMD","Process Self-Modification Detection",{"name":57},{"id":128,"name":129,"tactic":443},{"name":57},{"id":350,"name":351,"tactic":445},{"name":57},{"id":447,"name":448,"tactic":449},"D3-PT","Process Termination",{"name":135},{"id":451,"name":452,"tactic":453},"D3-PS","Process Suspension",{"name":135},{"id":455,"name":456,"tactic":457},"D3-HR","Host Reboot",{"name":135},{"id":459,"name":460,"tactic":461},"D3-HS","Host Shutdown",{"name":135},{"id":354,"name":355,"tactic":463},{"name":135},{"id":358,"name":359,"tactic":465},{"name":135},{"id":362,"name":363,"tactic":467},{"name":144},{"id":366,"name":367,"tactic":469},{"name":62},{"id":370,"name":371,"tactic":471},{"name":62},{"id":374,"name":375,"tactic":473},{"name":62},{"id":386,"name":387,"tactic":475},{"name":67},{"id":477,"name":478,"tactic":479},"D3-NTF","Network Traffic Filtering",{"name":185},{"id":481,"name":482,"tactic":483},"D3-KBPI","Kernel-based Process Isolation",{"name":185},{"id":182,"name":183,"tactic":485},{"name":185},{"id":219,"name":220,"tactic":487},{"name":185},{"id":489,"name":490,"tactic":491},"D3-ABPI","Application-based Process Isolation",{"name":185},{"id":493,"name":494,"tactic":495},"D3-WSAM","Web Session Access Mediation",{"name":185},{"id":390,"name":391,"tactic":497},{"name":185},{"id":499,"name":500,"techniques":501},"CAPEC-61","Session Fixation",[],{"id":503,"name":504,"techniques":505},"CAPEC-62","Cross Site Request Forgery",[],{"id":507,"name":508,"techniques":509},"CAPEC-642","Replace Binaries",[510,516,530],{"id":511,"name":512,"tactics":513,"countermeasures":515},"T1505.005","Terminal Services DLL",[514],{"id":29,"name":30},[],{"id":517,"name":518,"tactics":519,"countermeasures":521},"T1554","Compromise Host Software Binary",[520],{"id":29,"name":30},[522,524,526,528],{"id":45,"name":46,"tactic":523},{"name":48},{"id":50,"name":51,"tactic":525},{"name":48},{"id":59,"name":60,"tactic":527},{"name":62},{"id":64,"name":65,"tactic":529},{"name":67},{"id":261,"name":262,"tactics":531,"countermeasures":537},[532,533,534,535,536],{"id":29,"name":30},{"id":32,"name":33},{"id":35,"name":36},{"id":38,"name":39},{"id":41,"name":42},[538,540,542,544,546],{"id":45,"name":46,"tactic":539},{"name":48},{"id":50,"name":51,"tactic":541},{"name":48},{"id":54,"name":55,"tactic":543},{"name":57},{"id":59,"name":60,"tactic":545},{"name":62},{"id":64,"name":65,"tactic":547},{"name":67},[],[],[],[],[],[],"2026-05-29T12:09:02.026Z","2026-05-29T13:33:31.937Z","Received",{"cisa_kev":558,"cisa_ransomware":558,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":559,"severity_score":560,"severity_version":561,"severity_source":562,"severity_vector":563,"severity_status":556},false,"critical",10,"v4.0","cve.org","CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L",[565],{"url":566,"sources":567,"tags":569},"https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-supremas-biostar",[562,568],"nvd",[570],"Patch",[],[],[574,577],{"source":562,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":575},{"baseScore":560,"baseSeverity":576,"vectorString":563,"impactScore":9,"exploitabilityScore":9},"CRITICAL",{"source":568,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":578},{"baseScore":560,"baseSeverity":576,"vectorString":579,"impactScore":9,"exploitabilityScore":9},"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",[581],{"ecosystem":9,"name":582,"vendor":583,"product":584,"cpe_part":585,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":586},"BioStar 2 (server)","suprema","biostar 2 (server)","a",[587],{"version":588,"is_range":589,"range_type":562,"version_start":590,"version_start_type":591,"version_end":592,"version_end_type":591,"fixed_in":9},">= v2.9.3, \u003C= v2.9.11",true,"v2.9.3","including","v2.9.11"]