NAVTOR is committed to maintaining strong product security and supports good‑faith security research and coordinated vulnerability disclosure. Following responsible reporting by Cydome, NAVTOR verified the reported issues and confirmed they affected a legacy NavBox software version.
 
Summary
Cydome responsibly reported three security issues affecting legacy NavBox v4.12.0.3.
 
Associated CVEs: CVE-2026-2752, CVE-2026-2753, CVE-2026-2754.
 
CVE-2026-2752 – Missing Authentication on HTTP API Endpoints
Affected version: 4.12.0.3
Fixed version: 4.16.2.4 (November 2025) and later
 
CVE-2026-2753 – Absolute Path Traversal Vulnerability
Affected version: 4.12.0.3
Fixed version: 4.14.1.2 (December 2024) and later
 
CVE-2026-2754 – Information Disclosure Vulnerability
Affected version: 4.12.0.3
Fixed version: 4.16.2.4 (November 2025) and later
 
Customer Impact and Mitigation
NAVTOR has contacted affected customers individually. Customers with an active, online NavBox have been patched since December 2024 for CVE-2026-2753 and November 2025 for CVE-2026-2752 and CVE-2026-2754.,NavBoxes with an active online connection are automatically kept up to date with the latest version.
 
Acknowledgment
NAVTOR thanks Cydome for the responsible disclosure.
 
Scope Note
This vendor statement addresses CVE-2026-2752 / CVE-2026-2753 / CVE-2026-2754.