Skip to main content

ScadaBR CVE-2026-9645

| EUVDEUVD-2026-33028 CRITICAL
OS Command Injection (CWE-78)
2026-05-28 tenable GHSA-jqp5-9296-xf42
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:20 vuln.today

DescriptionCVE.org

Exposed methods allow authenticated users to create and execute arbitrary JavaScript code on the server. The scripts execute with full access, enabling complete system compromise as commands are executed as root.

AnalysisAI

Remote code execution in ScadaBR allows authenticated users to abuse exposed server-side methods to create and execute arbitrary JavaScript that runs as root, resulting in full host compromise. The CVSS 9.9 rating reflects scope change and complete confidentiality, integrity, and availability impact, and no public exploit is identified at time of analysis despite the issue being formally reported by Tenable Research (TRA-2026-46).

Technical ContextAI

ScadaBR is an open-source SCADA/HMI platform used to monitor and control industrial processes, written in Java and typically deployed as a web application. The CWE-78 (OS Command Injection) classification points to insufficient input sanitization on application-exposed scripting endpoints: the platform legitimately exposes a server-side JavaScript execution facility, but trusts authenticated callers with arbitrary script bodies that the JavaScript engine then evaluates with the privileges of the host process. Because ScadaBR is commonly run as the root user on Linux deployments, code executed through this scripting surface inherits root-level access to the underlying OS, allowing transition from a web-tier compromise to a full host takeover. The single affected CPE 'cpe:2.3:a:scadabr:scadabr:*:*:*:*:*:*:*:*' indicates all known versions are in scope until a fix is published.

RemediationAI

No vendor-released patch identified at time of analysis, and no fix version is cited in the supplied data, so the primary action is to consult the Tenable advisory at https://www.tenable.com/security/research/tra-2026-46 and the upstream ScadaBR project for an updated build before deploying anywhere reachable from untrusted networks. Compensating controls: restrict ScadaBR's web interface to a management VLAN or VPN so that obtaining 'authenticated user' status is itself gated (trade-off: breaks any remote operator workflows); audit and remove non-essential user accounts and strictly limit scripting/administrative roles to a minimum (trade-off: may interfere with operators who legitimately author scripts); run the ScadaBR JVM under a dedicated unprivileged service account inside a container or systemd unit with NoNewPrivileges and a read-only root filesystem (trade-off: requires re-testing process integrations and write paths); and add WAF/reverse-proxy rules blocking POSTs to the scripting endpoints exposed by the application until a fix is available (trade-off: legitimate script management will fail until rules are revoked).

Share

CVE-2026-9645 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy