Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains an authentication bypass vulnerability in the embedded web configuration interface that allows unauthenticated attackers to access internal application pages without any session management or server-side authentication checks. Attackers with network access can directly request internal resources such as index.zhtml, point.zhtml, and log.shtml to gain full administrative read and write access, enabling unauthorized modification of alarm routing, device configuration, and disruption of monitoring and control functions.
CVE-2026-9141
CRITICALNVD 9.89.8—
EchelonGraph scoreHIGH confidence
Score 9.8 from GitHub Security Advisory (severity: CRITICAL) published 2026-05-20. NVD baseline CVSS 9.8; sources differ by 0.0.
Triggered by: GitHub Security Advisory CVSS
Sources: ghsa, nvd
9.8
- CVSS v3
- 9.8
- EG Score
- 9.8(high)
- EPSS
- 44.1%
- KEV
- Not listed
Published
May 20, 2026
Last Modified
May 21, 2026
References (3)
- disclosure@vulncheckhttps://medium.com/@forgetmen0t/multiple-vulnerabilities-in-taiko-ag1000-01a-sms-alert-gateway-82095b1d633e
- disclosure@vulncheckhttps://www.vulncheck.com/advisories/taiko-ag1000-01a-rev-8-authentication-bypass-via-web-interface
- 134c704f-9b21-4f2e-91b3-4a467353bcc0https://medium.com/@forgetmen0t/multiple-vulnerabilities-in-taiko-ag1000-01a-sms-alert-gateway-82095b1d633e
Frequently asked(5)
What is CVE-2026-9141?
CVE-2026-9141 is a critical vulnerability published on May 20, 2026. Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains an authentication bypass vulnerability in the embedded web configuration interface that allows unauthenticated attackers to access internal application pages without any session management or server-side authentication checks. Attackers…
When was CVE-2026-9141 disclosed?
CVE-2026-9141 was first published in the National Vulnerability Database on May 20, 2026, with the most recent update on May 21, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-9141 actively exploited?
CVE-2026-9141 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 44.1% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-9141?
CVE-2026-9141 has a CVSS v3 base score of 9.8 (NVD).
How do I remediate CVE-2026-9141?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-9141, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-9141
Is Your Infrastructure Affected by CVE-2026-9141?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.