SpirityCVE

Cross-site scripting vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If an attacking administrator configures the affected product with some malicious input, an arbitrary script may be executed on the web browser of a victim administrator who accesses the setting screen.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Toa Corporation	Trifora 3 Series

No data.

References

Link	Providers
https://jvn.jp/en/jp/JVN08087148/
https://www.toa-products.com/securityinfo/pdf/tv2025-001jp.pdf

History

Fri, 16 Jan 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Toa Corporation Toa Corporation trifora 3 Series
Vendors & Products		Toa Corporation Toa Corporation trifora 3 Series
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 16 Jan 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description		Cross-site scripting vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If an attacking administrator configures the affected product with some malicious input, an arbitrary script may be executed on the web browser of a victim administrator who accesses the setting screen.
Weaknesses		CWE-79
References		https://jvn.jp/en/jp/JVN08087148/ https://www.toa-products.com/securityinfo/pdf/tv2025-001jp.pdf
Metrics		cvssV3_0 `{'score': 4.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2026-01-16T08:16:57.696Z

Updated: 2026-01-16T13:45:31.792Z

Reserved: 2026-01-14T04:14:33.376Z

Link: CVE-2026-20894

Vulnrichment

Updated: 2026-01-16T13:45:28.313Z

NVD

Status : Awaiting Analysis

Published: 2026-01-16T09:16:22.650

Modified: 2026-01-16T15:55:12.257

Link: CVE-2026-20894

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object