Cyber Posture

CVE-2026-42283

High

Published: 14 May 2026

Published
14 May 2026
Modified
14 May 2026
KEV Added
Patch
CVSS Score 7.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score N/A
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42283 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 7.7 (High).

Operationally, it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AU-14 Session Audit
addresses: CWE-200 CWE-306

Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.

PL-8 Security and Privacy Architectures
addresses: CWE-200 CWE-306

Privacy and security architectures require controls to protect sensitive information from unauthorized exposure across the system lifecycle.

PM-5 System Inventory
addresses: CWE-200 CWE-306

Inventory identifies all systems holding or processing data, enabling detection of unauthorized exposure paths before exploitation.

PM-8 Critical Infrastructure Plan
addresses: CWE-306 CWE-200

Protection planning for critical infrastructure directly calls for authentication of access to essential functions before any operation is permitted.

RA-3 Risk Assessment
addresses: CWE-306 CWE-200

Risk assessments evaluate exposure of critical functions lacking authentication and prioritize corrective controls.

SC-14 Public Access Protections
addresses: CWE-306 CWE-200

Requires authentication gates on critical functions that must remain unavailable to anonymous public users.

SC-15 Collaborative Computing Devices and Applications
addresses: CWE-306 CWE-200

Treats remote activation of surveillance-capable devices as a critical function that must be disabled or authenticated.

SC-26 Decoys
addresses: CWE-200 CWE-306

Decoys supply misleading data and log access attempts, directly detecting and deflecting unauthorized information exposure.

NVD Description

DevSpace is a client-only developer tool for cloud-native development with Kubernetes. Prior to 6.3.21, DevSpace's UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace…

more

UI and at the same time uses a browser to access the internet, a malicious website they visit can use their browser to establish a cross-origin WebSocket connection to ws://127.0.0.1:8090. This vulnerability is fixed in 6.3.21.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-200CWE-306

References