CVE-2026-3502

CVE Database · CVE-2026-3502

CVE-2026-3502

· HIGHAnalyzed

CVSS v3.1

7.8

EPSS

5.75%

Published

Mar 30, 2026

Modified

Apr 3, 2026

CISA Known Exploited Vulnerability

Added: 2026-04-02 · Due: 2026-04-16

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

Weaknesses (CWE)

CWE-494

Affected Products (1)

trueconf · trueconf (up to 8.5.3.884)vulnerable

References (3)

https://trueconf.com/blog/update/trueconf-8-5

ProductRelease Notes

https://research.checkpoint.com/2026/operation-truechaos-0-day-exploitation-against-southeast-asian-government-targets/

Third Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3502

US Government Resource

KEV Catalog EPSS Scores Vendors All CVEs