CVE-2026-2752
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk17th percentile - higher than 17% of all known CVEs
Summary
Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticated attacker can send crafted requests to trigger an unhandled exception, causing the server to return verbose .NET stack traces.
Risk Assessment
The exposed error messages may assist attackers in understanding the application's internal structure, increasing the risk of further attacks.
Recommendation
It is recommended to secure the /api/ais-data endpoint and implement proper error handling mechanisms to avoid disclosing detailed application information.
Original NVD description (English source)
Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticated attacker can send crafted requests to trigger an unhandled exception, causing the server to return verbose .NET stack traces. These error messages expose internal class names, method calls, and third-party library references (e.g., System.Data.SQLite), which may assist attackers in mapping the application's internal structure.

