| CVE ID | CVE-2026-46458 |
| Publication date | 15 July 2026 |
| Vendor | ICU Scandinavia |
| Product | Boomerang |
| Vulnerable versions | All before 2.4.18.029 |
| Vulnerability type (CWE) | Insufficiently Protected Credentials (CWE-522) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2026-46459 |
| Publication date | 15 July 2026 |
| Vendor | ICU Scandinavia |
| Product | Boomerang |
| Vulnerable versions | All before 2.4.18.029 |
| Vulnerability type (CWE) | Missing Authorization (CWE-862) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerabilities in ICU Scandinavia Boomerang software and participated in coordination of their disclosure.
The vulnerability CVE-2026-46458: ICU Scandinavia Boomerang is vulnerable to an information disclosure flaw where sensitive credential files are exposed via static HTTP. This allows an unauthenticated remote attacker to retrieve plaintext service account and SMTP credentials by requesting specific XML files from the webroot.
The vulnerability CVE-2026-46459: ICU Scandinavia Boomerang is vulnerable to a missing authentication flaw in its device receiver endpoints. This allows an unauthenticated remote attacker to read full facility configurations and write unauthorized data to the sensor database.
These issues have been fixed in version 2.4.18.029.
Credits
We thank Marek Figielski (vanilla.pl) for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.