CVE-2026-3502
7.8
CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
Summary
TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| TrueConf | TrueConf Client | TrueConf Client versions 8.1.0 through 8.5.2 | affected |
Weaknesses
- CWE-494: CWE-494: Download of Code Without Integrity Check.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: active
- Automatable: no
- Technical Impact: total
Additional References
- https://research.checkpoint.com/2026/operation-truechaos-0-day-exploitation-against-southeast-asian-government-targets/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3502
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.