CVE-2026-26340

EUVD-2026-8550
Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior expose RTSP streams without requiring authentication. A remote attacker can connect to the RTSP service and access live video/audio streams without valid credentials, resulting in unauthorized disclosure of surveillance data.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
tattilesmart\+_firmware
𝑥
≤ 1.181.5
tattiletolling\+_firmware
𝑥
≤ 1.181.5
tattilesmart\+_speed_firmware
𝑥
≤ 1.181.5
tattilesmart\+_traffic_light_firmware
𝑥
≤ 1.181.5
tattileaxle_counter_firmware
𝑥
≤ 1.181.5
tattilevega53_firmware
𝑥
≤ 1.181.5
tattilevega33_firmware
𝑥
≤ 1.181.5
tattilevega11_firmware
𝑥
≤ 1.181.5
tattilebasic_mk2_firmware
𝑥
≤ 1.181.5
tattileanpr_mobile_firmware
𝑥
≤ 1.181.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.tattile.com/
https://www.vulncheck.com/advisories/tattile-smart-vega-basic-unauthenticated-rtsp-stream-disclosure
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5978.php