Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Exposed methods allow authenticated users to create and execute arbitrary JavaScript code on the server. The scripts execute with full access, enabling complete system compromise as commands are executed as root.
AnalysisAI
Remote code execution in ScadaBR allows authenticated users to abuse exposed server-side methods to create and execute arbitrary JavaScript that runs as root, resulting in full host compromise. The CVSS 9.9 rating reflects scope change and complete confidentiality, integrity, and availability impact, and no public exploit is identified at time of analysis despite the issue being formally reported by Tenable Research (TRA-2026-46).
Technical ContextAI
ScadaBR is an open-source SCADA/HMI platform used to monitor and control industrial processes, written in Java and typically deployed as a web application. The CWE-78 (OS Command Injection) classification points to insufficient input sanitization on application-exposed scripting endpoints: the platform legitimately exposes a server-side JavaScript execution facility, but trusts authenticated callers with arbitrary script bodies that the JavaScript engine then evaluates with the privileges of the host process. Because ScadaBR is commonly run as the root user on Linux deployments, code executed through this scripting surface inherits root-level access to the underlying OS, allowing transition from a web-tier compromise to a full host takeover. The single affected CPE 'cpe:2.3:a:scadabr:scadabr:*:*:*:*:*:*:*:*' indicates all known versions are in scope until a fix is published.
RemediationAI
No vendor-released patch identified at time of analysis, and no fix version is cited in the supplied data, so the primary action is to consult the Tenable advisory at https://www.tenable.com/security/research/tra-2026-46 and the upstream ScadaBR project for an updated build before deploying anywhere reachable from untrusted networks. Compensating controls: restrict ScadaBR's web interface to a management VLAN or VPN so that obtaining 'authenticated user' status is itself gated (trade-off: breaks any remote operator workflows); audit and remove non-essential user accounts and strictly limit scripting/administrative roles to a minimum (trade-off: may interfere with operators who legitimately author scripts); run the ScadaBR JVM under a dedicated unprivileged service account inside a container or systemd unit with NoNewPrivileges and a read-only root filesystem (trade-off: requires re-testing process integrations and write paths); and add WAF/reverse-proxy rules blocking POSTs to the scripting endpoints exposed by the application until a fix is available (trade-off: legitimate script management will fail until rules are revoked).
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and exe
In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on t
In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated at
In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a vic
A cross-site scripting (XSS) vulnerability in the login form (/ScadaBR/login.htm) in ScadaBR 1.0CE allows a remote attac
ScadaBR 1.0CE, and 1.1.x through 1.1.0-RC, has XSS via a request for a nonexistent resource, as demonstrated by the dwr/
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm. Rated m
In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA syst
Reflected cross-site scripting in ScadaBR's URL handling allows unauthenticated remote attackers to inject and execute a
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33028
GHSA-jqp5-9296-xf42