Skip to main content

ITS Intelligent SCADA EUVDEUVD-2026-33268

| CVE-2026-10058 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-29 twcert GHSA-4v7f-g678-5xwv
4.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 29, 2026 - 09:17 vuln.today

DescriptionCVE.org

ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed in users' browsers upon page load.

AnalysisAI

Stored Cross-Site Scripting in ITP Technology's ITS Intelligent SCADA System enables authenticated, high-privileged remote attackers to inject persistent JavaScript payloads that execute in the browsers of other users upon page load. The changed scope (S:C in CVSS) indicates the injected script breaks out of the attacker's session context and affects victim users browsing the same application, potentially enabling session hijacking, credential theft, or lateral movement within the SCADA management interface. No public exploit code has been identified at time of analysis, and no confirmed active exploitation is on record.

Technical ContextAI

The affected product is ITP Technology's ITS Intelligent SCADA System, a web-based industrial control and monitoring platform, identified by CPE cpe:2.3:a:itp_technology:its_intelligent_scada_system:*:*:*:*:*:*:*:*. The wildcard version in the CPE indicates all currently known versions are affected. CWE-79 (Improper Neutralization of Input During Web Page Generation) is the root cause - user-supplied input is stored server-side without adequate sanitization or output encoding, then rendered into HTML pages served to other users, allowing injected script tags or event handlers to execute in victim browsers. SCADA web interfaces are particularly sensitive targets because they may grant access to operational technology controls, alarm panels, or sensor dashboards, amplifying the downstream risk of a successful XSS payload beyond typical enterprise web applications.

RemediationAI

The primary remediation is to apply any vendor-released patch or updated version identified in the TWCERT advisories at https://www.twcert.org.tw/en/cp-139-10942-2b78b-2.html. No specific patched version number is confirmed from the available data; operators must consult the advisory directly to obtain the correct fix version. While awaiting patching, restrict high-privilege SCADA accounts to the minimum necessary personnel and enforce multi-factor authentication on those accounts to raise the bar for an attacker to acquire PR:H access. Implement a Content Security Policy (CSP) header on the SCADA web interface to limit script execution to trusted origins - note this may require testing against existing SCADA UI functionality to avoid breaking legitimate scripts. Review and audit stored input fields (e.g., asset names, alarm descriptions, user-configurable labels) for unsanitized output rendering as an interim measure. Network-segment the SCADA web interface so that only authorized operator workstations can reach it, reducing the pool of users who might trigger the stored payload.

Share

EUVD-2026-33268 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy