CVE-2026-9509 | Suprema BioStar 2 2.9.8/2.9.10/2.9.11 /api/migration uncaught exception

A remote, unauthenticated denial-of-service vulnerability (CVE-2026-9509) affecting Suprema BioStar 2 Server versions 2.9.8, 2.9.10, and 2.9.11 was reported; sending crafted HTTP POST requests to the /api/migration endpoint triggers an uncaught exception that halts critical services and leaves access control systems offline until manual restart. Technical details are published by the researcher (Jordi Garcia Ribera) and advisory (incibe.es); exploitation is described as trivial to automate but no public exploit or mitigations are documented.