Skip to main content

ScadaBR EUVDEUVD-2026-33029

| CVE-2026-9646 MEDIUM
Basic XSS (CWE-80)
2026-05-28 tenable GHSA-2phh-vpwq-x849
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:20 vuln.today

DescriptionCVE.org

A reflected cross-site scripting issue exists in URL handling.

AnalysisAI

Reflected cross-site scripting in ScadaBR's URL handling allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser session when the victim clicks a crafted link targeting the ScadaBR web interface. The vulnerability carries a CVSS 6.1 score with Scope:Changed, meaning injected scripts execute in a security context that can affect resources beyond the originating ScadaBR page - particularly significant given ScadaBR's role as a web-based SCADA platform managing industrial control systems. No public exploit code has been identified and it is not listed in the CISA KEV catalog at time of analysis, but the ICS/OT deployment context amplifies the potential operational impact of credential theft or session hijacking.

Technical ContextAI

ScadaBR is an open-source, browser-based SCADA (Supervisory Control and Data Acquisition) system used in industrial and operational technology environments. The vulnerability is classified as CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page), a basic reflected XSS variant where user-supplied input embedded in URL parameters is echoed back into the HTTP response without adequate sanitization or output encoding. The CVSS Scope:Changed (S:C) designation indicates the injected script can access or influence resources outside the ScadaBR application origin, such as cookies or data belonging to co-hosted systems in the same browser session. The CPE string cpe:2.3:a:scadabr:scadabr:*:*:*:*:*:*:*:* uses a full wildcard on the version component, indicating all known ScadaBR releases are affected. Tenable Research documented this in advisory TRA-2026-46.

RemediationAI

No vendor-released patched version has been identified in the available data; the CPE wildcard and absence of a fix version in the Tenable advisory reference mean a specific upgrade target cannot be confirmed at this time. Consult https://www.tenable.com/security/research/tra-2026-46 directly for vendor patch status updates. As compensating controls, restrict ScadaBR web interface access to trusted internal network segments or VPN only - this reduces the attacker's ability to deliver crafted URLs to operators via external channels. Implement a web application firewall rule to detect and block reflected XSS patterns in URL parameters directed at the ScadaBR application paths. Enforce strict Content Security Policy (CSP) headers at the network or reverse proxy layer where feasible, accepting that operator-configured ScadaBR functionality may be partially disrupted. Educate operators to treat unsolicited URLs to the ScadaBR interface with suspicion. Do not expose ScadaBR directly to the internet.

Share

EUVD-2026-33029 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy