Title: Tattile Cameras 1.181.5 Insufficient Token (X-User-Token) Expiration Advisory ID: ZSL-2026-5976 Type: Local/Remote Impact: Security Bypass Risk: (3/5) Release Date: 24.02.2026 Summary The application suffers from insufficient session expiration. This issue arises when the web application allows attackers to reuse old session credentials or tokens, increasing exposure to attacks that can steal or reuse user session identifiers. Vendor Vendor: Tattile s.r.l. -  Affected Version Smart+ family: Smart+, Tapping+, Smart+ Speed, Smart+ Traffic Light Vega family: Axle Counter, Vega 53, Vegas33 & Vega 11 Basic family: Basic MK2 ANPR Mobile Firmware: 1.181.5 Tested On lighthttpd/1.4.64 Vendor Status Vulnerability discovered on 22.01.2026 Vendor contacted on 22.01.2026 Vendor responded, asked for account registration details and confirmed a ticket on 23.01.2026 Vendor provided further information on 23.01.2026, some were obtained from the vendor Worked with the vendor on 26.01.2026 Request status update on 06.02.2026 Vendor assessed the problem on 10.02.2026 Vendor confirmed the vulnerability and scheduled patch planning in May 2026 on 11.02.2026 Vendor provided other vulnerability details and requested confirmation on 18.02.2026 Vendor confirmed affected models and firmware versions on 20.02.2026 Responded to vendor on 20.02.2026 Vendor reviewed draft advisories on 23.02.2026 Public security advisory released on 24.02.2026 POC Check attachment:  Credits Vulnerability discovered by Gjoko Kretic <;> References 1.  Changelog 24.02.2026 - Initial release Contact Zero Science Lab:  