Skip to main content

GridTime 3000 CVE-2026-12621

| EUVDEUVD-2026-38040 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-19 Microchip GHSA-pqrf-vgj8-cvrm
5.3
CVSS 4.0 · Vendor: Microchip
Share

Severity by source

Vendor (Microchip) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Network-accessible web UI, low-privilege auth required, and XSS impact requires a victim user to load the poisoned page (UI:R), with scope change to victim's browser context (S:C).

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Microchip).

CVSS VectorVendor: Microchip

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 19, 2026 - 16:32 vuln.today

DescriptionCVE.org

Improper neutralization of input during web page generation XSS vulnerability in the GridTime 3000 (password reset form) allows XSS. This issue affects GridTime 3000: from 1.0r0.03 before 1.2r0.0.

AnalysisAI

DOM-based cross-site scripting in Microchip's GridTime 3000 GNSS Time Server allows an authenticated attacker to inject malicious JavaScript through the device's password reset form, executing arbitrary script in the browser context of any user who subsequently loads the affected page. The vulnerability spans versions 1.0r0.03 through all releases before 1.2r0.0. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate to GridTime 3000 web UI with low-privilege credentials
Delivery
Navigate to password reset form
Exploit
Submit crafted DOM XSS payload as form input
Install
Payload stored or reflected in page DOM
C2
Administrator loads affected page
Execute
Malicious script executes in admin's browser
Impact
Session token or credentials exfiltrated

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid low-privilege authenticated session on the GridTime 3000 web management interface - unauthenticated exploitation is not supported by the CVSS 4.0 vector (PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.3 (Medium) reflects a bounded real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privilege authenticated access to the GridTime 3000 web interface crafts a malicious payload and submits it through the password reset form; the DOM processes and renders the unsanitized input. When a higher-privileged administrator subsequently loads the affected page, the injected script executes in their browser context, potentially exfiltrating session tokens or performing privileged actions on the device. …
Remediation Upgrade GridTime 3000 firmware to version 1.2r0.0 or later, as specified by Microchip's advisory at https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/gridtime-3000-gnss-time-server-dom-xss. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12621 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy