CVE-2026-12183
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk41th percentile — higher than 41% of all known CVEs
Summary
The Nefteprodukttekhnika BUK TS-G Gas Station Automation System versions 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials.
Risk Assessment
A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, leading to serious security risks, including modification of user data and management of gas station devices.
Recommendation
It is recommended to update the system to the latest version that addresses this vulnerability and to implement server-side session validation mechanisms for all administrative endpoints.
Original NVD description (English source)
Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials (e.g., action=dologin&login=<any_value>&pwd=<any_value>), and subsequent privileged endpoints under /php/ajax-main.php and /modules/* do not validate a server-side session. A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules.

