Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-exploitable stored XSS with no auth required (PR:N, AC:L); scope change as payload executes in victims' browsers (S:C); limited confidentiality and integrity loss via session theft; no availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Sustainable Irrigation Platform (SIP) through version 5.2.16 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject arbitrary JavaScript by supplying malicious script payloads within program names submitted via HTTP requests. Attackers can exploit the lack of output encoding on rendered program names to execute arbitrary JavaScript in the browsers of any users viewing the affected page, with exploitation facilitated by the absence of a required passphrase or the default passphrase 'opendoor'.
AnalysisAI
Stored cross-site scripting in Sustainable Irrigation Platform (SIP) through version 5.2.16 enables unauthenticated remote attackers to permanently inject arbitrary JavaScript by submitting crafted program names via HTTP requests, with the payload executing in every subsequent viewer's browser. Exploitation is significantly facilitated by the application's acceptance of submissions with no passphrase configured or using the default passphrase 'opendoor', removing any authentication barrier in common deployments. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation of the injection phase requires the target SIP instance to accept program submissions with either no passphrase configured or the default passphrase 'opendoor' - both conditions are explicitly cited in the vulnerability description as enabling unauthenticated HTTP submission. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.3 (Medium) accurately reflects the limited per-system impact: VC:N/VI:N/VA:N indicates the vulnerable system's server-side assets are not directly compromised, while SC:L/SI:L captures the limited but real browser-session impact on users who view the affected page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a publicly reachable SIP instance using the default 'opendoor' passphrase, then submits an HTTP request creating a program entry whose name field contains a JavaScript payload designed to exfiltrate session cookies to an attacker-controlled server. Every legitimate operator or user who subsequently navigates to the SIP program listing page silently executes the injected script in their browser, transmitting their session identifiers to the attacker and enabling account takeover. … |
| Remediation | No vendor-released patched version has been confirmed in the available intelligence data; defenders should monitor the ZeroScience advisory at https://www.zeroscience.mk/#/advisories/ZSL-2026-5994 and the VulnCheck advisory at https://www.vulncheck.com/advisories/sustainable-irrigation-platform-stored-xss-via-program-name for patch availability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote command injection in the Sustainable Irrigation Platform (SIP) through version 5.2.16 lets unauthenticated or CSR
Configuration tampering in the Sustainable Irrigation Platform (SIP) through version 5.2.16 lets remote unauthenticated
Arbitrary file write in Sustainable Irrigation Platform (SIP) through 5.2.16 lets remote attackers plant JSON files outs
Cross-site request forgery in the Sustainable Irrigation Platform (SIP) through 5.2.16 lets remote attackers execute sta
Server-side request forgery in Sustainable Irrigation Platform (SIP) through version 5.2.16 allows unauthenticated netwo
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43681
GHSA-fjj7-xvgh-3jwr