A security flaw has been discovered in Flycatcher Toys smART Pixelator 2.0. Affected by this issue is some unknown functionality of the component Bluetooth Low Energy Interface. Performing a manipulation results in missing authentication. The attack can only be performed from the local network. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
PUBLISHED5.2CWE-306CWE-287
Flycatcher Toys smART Pixelator Bluetooth Low Energy missing authentication
Problem type
Affected products
Flycatcher Toys
smART Pixelator
2.0 - AFFECTED
References
VDB-344632 | Flycatcher Toys smART Pixelator Bluetooth Low Energy missing authentication
https://vuldb.com/?id.344632
VDB-344632 | CTI Indicators (IOB, IOC)
https://vuldb.com/?ctiid.344632
Submit #745129 | Flycatcher Toys smART Pixelator 2.0 2.0 Missing Authentication
https://vuldb.com/?submit.745129
github.com
https://github.com/davidrxchester/smart-pixelator-upload
github.com
https://github.com/davidrxchester/smart-pixelator-upload/blob/main/poc.py
GitHub Security Advisories
GHSA-2fvm-f59j-qxw9
A security flaw has been discovered in Flycatcher Toys smART Pixelator 2.0. Affected by this...
https://github.com/advisories/GHSA-2fvm-f59j-qxw9A security flaw has been discovered in Flycatcher Toys smART Pixelator 2.0. Affected by this issue is some unknown functionality of the component Bluetooth Low Energy Interface. Performing a manipulation results in missing authentication. The attack can only be performed from the local network. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-2065
github.com
https://github.com/davidrxchester/smart-pixelator-upload
github.com
https://github.com/davidrxchester/smart-pixelator-upload/blob/main/poc.py
vuldb.com
https://vuldb.com/?ctiid.344632
vuldb.com
https://vuldb.com/?id.344632
vuldb.com
https://vuldb.com/?submit.745129
github.com
https://github.com/advisories/GHSA-2fvm-f59j-qxw9
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-2065Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-2065",
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"dateUpdated": "2026-02-06T20:15:29.465Z",
"dateReserved": "2026-02-06T06:56:14.457Z",
"datePublished": "2026-02-06T20:02:07.016Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB",
"dateUpdated": "2026-02-06T20:02:07.016Z"
},
"title": "Flycatcher Toys smART Pixelator Bluetooth Low Energy missing authentication",
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in Flycatcher Toys smART Pixelator 2.0. Affected by this issue is some unknown functionality of the component Bluetooth Low Energy Interface. Performing a manipulation results in missing authentication. The attack can only be performed from the local network. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"affected": [
{
"vendor": "Flycatcher Toys",
"product": "smART Pixelator",
"modules": [
"Bluetooth Low Energy Interface"
],
"versions": [
{
"version": "2.0",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Missing Authentication",
"cweId": "CWE-306",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"lang": "en",
"description": "Improper Authentication",
"cweId": "CWE-287",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://vuldb.com/?id.344632",
"name": "VDB-344632 | Flycatcher Toys smART Pixelator Bluetooth Low Energy missing authentication",
"tags": [
"vdb-entry"
]
},
{
"url": "https://vuldb.com/?ctiid.344632",
"name": "VDB-344632 | CTI Indicators (IOB, IOC)",
"tags": [
"signature",
"permissions-required"
]
},
{
"url": "https://vuldb.com/?submit.745129",
"name": "Submit #745129 | Flycatcher Toys smART Pixelator 2.0 2.0 Missing Authentication",
"tags": [
"third-party-advisory"
]
},
{
"url": "https://github.com/davidrxchester/smart-pixelator-upload",
"tags": [
"related"
]
},
{
"url": "https://github.com/davidrxchester/smart-pixelator-upload/blob/main/poc.py",
"tags": [
"exploit"
]
}
],
"metrics": [
{},
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"baseScore": 6.3,
"baseSeverity": "MEDIUM"
}
},
{
"cvssV3_0": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"baseScore": 6.3,
"baseSeverity": "MEDIUM"
}
},
{
"cvssV2_0": {
"version": "2.0",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"baseScore": 5.8
}
}
],
"timeline": [
{
"time": "2026-02-06T00:00:00.000Z",
"lang": "en",
"value": "Advisory disclosed"
},
{
"time": "2026-02-06T01:00:00.000Z",
"lang": "en",
"value": "VulDB entry created"
},
{
"time": "2026-02-06T08:01:45.000Z",
"lang": "en",
"value": "VulDB entry last update"
}
],
"credits": [
{
"lang": "en",
"value": "davidrochester (VulDB User)",
"type": "reporter"
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-02-06T20:15:29.465Z"
},
"title": "CISA ADP Vulnrichment",
"metrics": [
{}
]
}
]
}
}