Skip to main content

Radware Cyber Controller CVE-2026-12812

| EUVDEUVD-2026-38198 LOW
Basic XSS (CWE-80)
2026-06-21 VulDB GHSA-h822-984p-4x2q
2.0
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.0 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.5 LOW

Low-privilege authentication and victim report-viewing (UI:R) are required; impact is limited to low integrity injection with no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 22, 2026 - 06:47 vuln.today
Severity Changed
Jun 21, 2026 - 23:22 NVD
MEDIUM LOW
CVSS changed
Jun 21, 2026 - 23:22 NVD
5.1 (MEDIUM) 2.0 (LOW)

DescriptionCVE.org

A security vulnerability has been detected in Radware Cyber Controller up to 10.11.0. This affects an unknown part of the component HTML Report Generation. The manipulation leads to HTML injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

HTML injection in Radware Cyber Controller's HTML Report Generation component allows authenticated remote attackers to embed arbitrary HTML tags - including script-related content - into generated reports, enabling potential cross-site scripting scenarios targeting users who view those reports. All 10.x releases through 10.11.0 are confirmed affected per ENISA EUVD-2026-38198. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege account
Delivery
Inject HTML or script payload into report input field
Exploit
Trigger HTML Report Generation to embed payload
Execution
Distribute or share generated HTML report
Persist
Victim user opens report in browser
Impact
Injected HTML renders and executes in victim's session

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid low-privilege authenticated account on Radware Cyber Controller (PR:L per CVSS 4.0 vector), meaning unauthenticated remote exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 2.0 reflects genuinely low severity: the vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N) requires low-privilege authentication and passive user interaction, with impact limited to low integrity on the vulnerable system and no confidentiality or availability consequences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated low-privilege user supplies a crafted string - such as an HTML tag or script fragment - into an input field processed by the HTML Report Generation component, causing the malicious markup to be embedded in the resulting report. A second user, potentially an administrator, opens the HTML report in their browser, at which point the injected content renders and executes in that user's browser session, enabling phishing overlays, credential harvesting, or session-context attacks. …
Remediation No vendor-released patch has been identified at time of analysis - Radware did not respond to coordinated disclosure, and no fixed version is referenced in any available source. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12812 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy