hypeorhack
← back

CVE-2026-7671

LOW · 3.7
hype PURE HYPE · 12 hack

Automated feed noise; PoC public but no active exploitation signal or KEV listing.

What: Improper rate-limiting on two-factor authentication endpoint in CodeWise Tornet Scooter Mobile App 4.75 (iOS/Android); CVSS 3.7 (LOW).

Why it matters: Low CVSS score, difficult exploitability, vendor unresponsive but no KEV listing or confirmed in-the-wild exploitation. Public PoC disclosed, but social chatter is purely automated CVE feed rebroadcasts with no defender triage or incident reporting evident.

Where it's seen: Generic CVE alert bots and security feeds republishing NVD description verbatim within hours of publication. No vendor advisories, researcher analysis, or operational security discussion observed.

RISK: LOW — Niche mobile app, low severity, complex attack required, unresponsive vendor.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 5/3/2026, 7:05:39 AM

Public PoCs on GitHub 6 repos

Page 1 of 2

Articles & coverage 15 articles

  • CVE-2026-7671 - Exploits & Severity - Feedly

    A vulnerability labeled as problematic has been found in CodeWise Tornet Scooter Mobile App 4.75 on iOS/Android. The impacted element is an

  • Oracle Linux: CVE-2026-33636: ELSA-2026-7671: firefox ... - Rapid7

    A flaw was found in libpng. A remote attacker could exploit an out-of-bounds read and write vulnerability in the ARM/AArch64 Neon-optimized palette

  • AlmaLinux 9 : firefox (ALSA-2026:7671)<!-- --> | Tenable®

    # AlmaLinux 9 : firefox (ALSA-2026:7671). ###### critical Nessus Plugin ID 306649. The remote AlmaLinux host is missing one or more security updates. The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:7671 advisory. \* libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palett

  • Oracle Linux 9 : firefox (ELSA-2026-7671)<!-- --> | Tenable®

    # Oracle Linux 9 : firefox (ELSA-2026-7671). ###### critical Nessus Plugin ID 306165. The remote Oracle Linux host is missing one or more security updates. The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-7671 advisory. - Fix firefox-oracle-default-prefs.js for new nss [Orabug: 37079773]. - Add firefox-oracle-default

  • Debian OS web-browsing Software Security Patch RLSB-2025-8271

    {"type": "TYPE\_SECURITY", "shortCode": "RL", "name": "RLSA-2026:7671", "synopsis": "Important: firefox security update", "severity": "SEVERITY\_IMPORTANT", "topic": "An update is available for firefox.\nThis update affects Rocky Linux 9.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", "descri

Page 1 of 3
NVD details 2 CWE ·0 vendors · 4 refs expand

Description

A vulnerability has been found in CodeWise Tornet Scooter Mobile App 4.75 on iOS/Android. The impacted element is an unknown function of the file /TwoFactor. Such manipulation leads to improper restriction of excessive authentication attempts. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Weaknesses

References

Other · 4

Top posts driving the trend