Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
A reflected cross-site scripting issue exists in URL handling.
AnalysisAI
Reflected cross-site scripting in ScadaBR's URL handling allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser session when the victim clicks a crafted link targeting the ScadaBR web interface. The vulnerability carries a CVSS 6.1 score with Scope:Changed, meaning injected scripts execute in a security context that can affect resources beyond the originating ScadaBR page - particularly significant given ScadaBR's role as a web-based SCADA platform managing industrial control systems. No public exploit code has been identified and it is not listed in the CISA KEV catalog at time of analysis, but the ICS/OT deployment context amplifies the potential operational impact of credential theft or session hijacking.
Technical ContextAI
ScadaBR is an open-source, browser-based SCADA (Supervisory Control and Data Acquisition) system used in industrial and operational technology environments. The vulnerability is classified as CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page), a basic reflected XSS variant where user-supplied input embedded in URL parameters is echoed back into the HTTP response without adequate sanitization or output encoding. The CVSS Scope:Changed (S:C) designation indicates the injected script can access or influence resources outside the ScadaBR application origin, such as cookies or data belonging to co-hosted systems in the same browser session. The CPE string cpe:2.3:a:scadabr:scadabr:*:*:*:*:*:*:*:* uses a full wildcard on the version component, indicating all known ScadaBR releases are affected. Tenable Research documented this in advisory TRA-2026-46.
RemediationAI
No vendor-released patched version has been identified in the available data; the CPE wildcard and absence of a fix version in the Tenable advisory reference mean a specific upgrade target cannot be confirmed at this time. Consult https://www.tenable.com/security/research/tra-2026-46 directly for vendor patch status updates. As compensating controls, restrict ScadaBR web interface access to trusted internal network segments or VPN only - this reduces the attacker's ability to deliver crafted URLs to operators via external channels. Implement a web application firewall rule to detect and block reflected XSS patterns in URL parameters directed at the ScadaBR application paths. Enforce strict Content Security Policy (CSP) headers at the network or reverse proxy layer where feasible, accepting that operator-configured ScadaBR functionality may be partially disrupted. Educate operators to treat unsolicited URLs to the ScadaBR interface with suspicion. Do not expose ScadaBR directly to the internet.
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and exe
In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on t
In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated at
In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a vic
A cross-site scripting (XSS) vulnerability in the login form (/ScadaBR/login.htm) in ScadaBR 1.0CE allows a remote attac
ScadaBR 1.0CE, and 1.1.x through 1.1.0-RC, has XSS via a request for a nonexistent resource, as demonstrated by the dwr/
Remote code execution in ScadaBR allows authenticated users to abuse exposed server-side methods to create and execute a
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm. Rated m
In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA syst
Same weakness CWE-80 – Basic XSS
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33029
GHSA-2phh-vpwq-x849