Skip to main content

ITS Intelligent SCADA CVE-2026-10057

| EUVDEUVD-2026-33267 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-29 twcert GHSA-5xvm-fxg9-2pfx
4.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 29, 2026 - 09:17 vuln.today

DescriptionCVE.org

ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed in users' browsers upon page load.

AnalysisAI

Stored Cross-Site Scripting in ITP Technology's ITS Intelligent SCADA System enables privileged remote attackers to inject persistent JavaScript payloads into the application that execute automatically in other users' browsers upon page load. Affected are all versions per CPE data (cpe:2.3:a:itp_technology:its_intelligent_scada_system:*:*:*:*:*:*:*:*), meaning the entire product line carries this exposure. This vulnerability is not confirmed actively exploited (CISA KEV), no public exploit code has been identified, and EPSS data was not provided in available intelligence.

Technical ContextAI

The ITS Intelligent SCADA System by ITP Technology is an industrial control and monitoring platform with a web-based interface. CWE-79 (Improper Neutralization of Input During Web Page Generation) identifies the root cause: user-supplied input is stored server-side and later rendered in the browser without adequate output encoding or sanitization. The CVSS vector's Changed Scope (S:C) component is technically significant here - it confirms that the injected script executes in the security context of victim users' browsers, not the attacker's session, enabling cross-context impact. The CPE string cpe:2.3:a:itp_technology:its_intelligent_scada_system:*:*:*:*:*:*:*:* covers all versions with no floor or ceiling, indicating no version of the product has been confirmed safe. SCADA web interfaces are particularly sensitive targets because operators and engineers routinely interact with dashboards under high-trust assumptions.

RemediationAI

Consult the vendor advisory published by TWCERT at https://www.twcert.org.tw/en/cp-139-10942-2b78b-2.html for official patch guidance, as no specific fixed version number was confirmed in the available intelligence - vendor-released patch status per advisory should be verified directly with ITP Technology. In the absence of a confirmed patch, defenders should apply compensating controls: restrict access to the SCADA web interface to the minimum required administrative accounts using network-level ACLs or VPN segmentation, since reducing the pool of principals with PR:H access directly shrinks the attacker surface. Implementing a Content Security Policy (CSP) header with a strict script-src directive on the web interface would block or significantly degrade stored XSS payload execution, though this may require application-level changes. Audit all stored user-controllable fields in the application for output encoding gaps, and monitor browser-side anomalies such as unexpected script loads or outbound connections from operator workstations accessing the SCADA interface.

Share

CVE-2026-10057 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy