Skip to main content

Sustainable Irrigation Platform CVE-2026-58475

| EUVDEUVD-2026-43681 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-14 VulnCheck GHSA-fjj7-xvgh-3jwr
5.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Network-exploitable stored XSS with no auth required (PR:N, AC:L); scope change as payload executes in victims' browsers (S:C); limited confidentiality and integrity loss via session theft; no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 14:48 vuln.today
CVE Published
Jul 14, 2026 - 14:19 cve.org
MEDIUM 5.3

DescriptionCVE.org

Sustainable Irrigation Platform (SIP) through version 5.2.16 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject arbitrary JavaScript by supplying malicious script payloads within program names submitted via HTTP requests. Attackers can exploit the lack of output encoding on rendered program names to execute arbitrary JavaScript in the browsers of any users viewing the affected page, with exploitation facilitated by the absence of a required passphrase or the default passphrase 'opendoor'.

AnalysisAI

Stored cross-site scripting in Sustainable Irrigation Platform (SIP) through version 5.2.16 enables unauthenticated remote attackers to permanently inject arbitrary JavaScript by submitting crafted program names via HTTP requests, with the payload executing in every subsequent viewer's browser. Exploitation is significantly facilitated by the application's acceptance of submissions with no passphrase configured or using the default passphrase 'opendoor', removing any authentication barrier in common deployments. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-exposed SIP with default/absent passphrase
Delivery
Submit HTTP request with script-bearing program name
Exploit
Payload stored in SIP application database
Execution
Legitimate user navigates to program listing page
Persist
Injected JavaScript executes in victim browser
Impact
Exfiltrate session token or credentials to attacker

Vulnerability AssessmentAI

Exploitation Exploitation of the injection phase requires the target SIP instance to accept program submissions with either no passphrase configured or the default passphrase 'opendoor' - both conditions are explicitly cited in the vulnerability description as enabling unauthenticated HTTP submission. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.3 (Medium) accurately reflects the limited per-system impact: VC:N/VI:N/VA:N indicates the vulnerable system's server-side assets are not directly compromised, while SC:L/SI:L captures the limited but real browser-session impact on users who view the affected page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a publicly reachable SIP instance using the default 'opendoor' passphrase, then submits an HTTP request creating a program entry whose name field contains a JavaScript payload designed to exfiltrate session cookies to an attacker-controlled server. Every legitimate operator or user who subsequently navigates to the SIP program listing page silently executes the injected script in their browser, transmitting their session identifiers to the attacker and enabling account takeover. …
Remediation No vendor-released patched version has been confirmed in the available intelligence data; defenders should monitor the ZeroScience advisory at https://www.zeroscience.mk/#/advisories/ZSL-2026-5994 and the VulnCheck advisory at https://www.vulncheck.com/advisories/sustainable-irrigation-platform-stored-xss-via-program-name for patch availability. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58475 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy