{"cve":{"cve_id":"CVE-2026-41954","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":0.00294,"epss_percentile":0.2093,"epss_as_of":"2026-06-23","description":"Sensitive information disclosure vulnerability exists in the undisclosed iControl REST endpoint and TMOS Shell (tmsh) command which may allow an authenticated attacker with resource administrator role privileges to view sensitive information.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.","published_at":"2026-05-13T14:12:27.618000Z","last_modified_at":null,"cvss_v3_score":4.9,"cvss_v3_vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N","cvss_v3_severity":"MEDIUM","cvss_v4_score":6.9,"cvss_v4_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N","cvss_v4_severity":"MEDIUM","ssvc_decision":null,"ssvc_exploitation":null,"ssvc_automatable":null,"ssvc_technical_impact":null,"cwes":["CWE-200"],"nvd_references":["https://my.f5.com/manage/s/article/K32950402"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-24T00:09:39.878444Z","updated_at":"2026-06-28T23:30:18.213309Z"},"effective_severity":"MEDIUM","badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"N","value_label":"Network"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"PR","name":"Privileges Required","value":"H","value_label":"High"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"S","name":"Scope","value":"U","value_label":"Unchanged"},{"metric":"C","name":"Confidentiality","value":"H","value_label":"High"},{"metric":"I","name":"Integrity","value":"N","value_label":"None"},{"metric":"A","name":"Availability","value":"N","value_label":"None"}]},"cvss_v4_decoded":{"version":"4.0","metrics":[{"metric":"AV","name":"Attack Vector","value":"N","value_label":"Network"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"AT","name":"Attack Requirements","value":"N","value_label":"None"},{"metric":"PR","name":"Privileges Required","value":"H","value_label":"High"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"VC","name":"Confidentiality (Vulnerable System)","value":"H","value_label":"High"},{"metric":"VI","name":"Integrity (Vulnerable System)","value":"N","value_label":"None"},{"metric":"VA","name":"Availability (Vulnerable System)","value":"N","value_label":"None"},{"metric":"SC","name":"Confidentiality (Subsequent System)","value":"N","value_label":"None"},{"metric":"SI","name":"Integrity (Subsequent System)","value":"N","value_label":"None"},{"metric":"SA","name":"Availability (Subsequent System)","value":"N","value_label":"None"}]},"affected":[{"vendor_slug":"f5","vendor_name":"F5","product_slug":"big-ip","product_name":"BIG-IP","version_start":"21.1.0","version_start_inclusive":true,"version_end":"*","version_end_inclusive":false,"cpe23_uri":"cve5:f5:big-ip:21.1.0:*"},{"vendor_slug":"f5","vendor_name":"F5","product_slug":"big-ip","product_name":"BIG-IP","version_start":"21.0.0","version_start_inclusive":true,"version_end":"21.0.0.1","version_end_inclusive":false,"cpe23_uri":"cve5:f5:big-ip:21.0.0:21.0.0.1"},{"vendor_slug":"f5","vendor_name":"F5","product_slug":"big-ip","product_name":"BIG-IP","version_start":"17.5.0","version_start_inclusive":true,"version_end":"17.5.1.4","version_end_inclusive":false,"cpe23_uri":"cve5:f5:big-ip:17.5.0:17.5.1.4"},{"vendor_slug":"f5","vendor_name":"F5","product_slug":"big-ip","product_name":"BIG-IP","version_start":"17.1.0","version_start_inclusive":true,"version_end":"17.1.3.1","version_end_inclusive":false,"cpe23_uri":"cve5:f5:big-ip:17.1.0:17.1.3.1"},{"vendor_slug":"f5","vendor_name":"F5","product_slug":"big-ip","product_name":"BIG-IP","version_start":"16.1.0","version_start_inclusive":true,"version_end":"*","version_end_inclusive":false,"cpe23_uri":"cve5:f5:big-ip:16.1.0:*"},{"vendor_slug":"f5","vendor_name":"F5","product_slug":"big-iq","product_name":"BIG-IQ","version_start":"8.4.0","version_start_inclusive":true,"version_end":"8.4.1","version_end_inclusive":false,"cpe23_uri":"cve5:f5:big-iq:8.4.0:8.4.1"}],"exploit_refs":[],"news":[],"references":[{"url":"https://my.f5.com/manage/s/article/K32950402","source_type":"MISC","tags":[]}],"timeline":[{"type":"published","at":"2026-05-13T14:12:27.618000Z","label":"CVE published","source":null},{"type":"cvss_changed","at":"2026-06-28T17:54:07.258310Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:54:07.258310Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:54:07.258310Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:54:07.258310Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:54:07.258310Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:54:07.258310Z","label":"CVSS score revised","source":"cvelistv5"}]}