CVE-2026-29510 is a stored cross-site scripting (XSS) vulnerability identified in the firmware of the Hereta ETH-IMC408M device, specifically versions 1.0.15 and earlier. The vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. Authenticated attackers can manipulate the Device Name field, injecting arbitrary JavaScript code that is stored and subsequently rendered without proper sanitization on the System Status interface. When legitimate users access this interface, the malicious script executes in their browsers, potentially compromising session tokens, redirecting users to malicious sites, or performing unauthorized actions within the context of the user’s session. The attack vector requires the attacker to have authenticated access to the device’s management interface but does not require further user interaction beyond viewing the affected page. The vulnerability has a CVSS 4.0 base score of 5.1, reflecting medium severity due to its network attack vector, low attack complexity, no privileges required beyond authentication, and no user interaction needed for exploitation beyond page viewing. No patches or fixes have been published yet, and no known exploits have been observed in the wild. The vulnerability highlights a common security oversight in embedded device web interfaces, where input fields are not properly sanitized before rendering, exposing users to client-side attacks.

The primary impact of CVE-2026-29510 is the compromise of confidentiality and integrity for users accessing the affected device’s web interface. Successful exploitation can lead to session hijacking, theft of authentication credentials, unauthorized command execution within the user’s browser context, and potential lateral movement within the network if attackers leverage stolen credentials. Since the vulnerability is stored XSS, the malicious payload persists and affects all users who view the System Status page, increasing the attack surface. For organizations, this can result in unauthorized access to device management, disruption of network monitoring, and potential compromise of connected infrastructure. The requirement for attacker authentication limits the risk to environments where attackers can gain initial access, but insider threats or compromised credentials increase the likelihood of exploitation. The lack of patches means the vulnerability remains exploitable, posing ongoing risk. Although no exploits are currently known in the wild, the medium severity score and ease of exploitation suggest that attackers could develop exploits, especially in targeted attacks against organizations relying on these devices for critical network functions.

To mitigate CVE-2026-29510, organizations should first restrict access to the Hereta ETH-IMC408M management interface using network segmentation, VPNs, or firewall rules to limit exposure to trusted administrators only. Implement strong authentication mechanisms and monitor for unusual login activity to detect potential insider threats or compromised credentials. Since no official patches are available, administrators should avoid entering untrusted input into the Device Name field and regularly audit device configurations for suspicious entries. Employ web application firewalls (WAFs) capable of detecting and blocking XSS payloads targeting the device’s web interface. Additionally, organizations should consider deploying browser security features such as Content Security Policy (CSP) to reduce the impact of injected scripts. Monitoring network traffic for anomalous behavior related to the device’s web interface can also help detect exploitation attempts. Finally, maintain communication with the vendor for firmware updates and apply patches promptly once available.