Skip to main content

Scadabr

10 CVEs product

Monthly

CVE-2026-9646 MEDIUM This Month

Reflected cross-site scripting in ScadaBR's URL handling allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser session when the victim clicks a crafted link targeting the ScadaBR web interface. The vulnerability carries a CVSS 6.1 score with Scope:Changed, meaning injected scripts execute in a security context that can affect resources beyond the originating ScadaBR page - particularly significant given ScadaBR's role as a web-based SCADA platform managing industrial control systems. No public exploit code has been identified and it is not listed in the CISA KEV catalog at time of analysis, but the ICS/OT deployment context amplifies the potential operational impact of credential theft or session hijacking.

XSS Scadabr
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-9645 CRITICAL Act Now

Remote code execution in ScadaBR allows authenticated users to abuse exposed server-side methods to create and execute arbitrary JavaScript that runs as root, resulting in full host compromise. The CVSS 9.9 rating reflects scope change and complete confidentiality, integrity, and availability impact, and no public exploit is identified at time of analysis despite the issue being formally reported by Tenable Research (TRA-2026-46).

Command Injection Scadabr
NVD VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-8605 MEDIUM CISA This Month

In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin.

Authentication Bypass Scadabr
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-8604 HIGH CISA Act Now

In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim's session by luring any logged-in user to a malicious webpage.

CSRF Scadabr
NVD
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-8603 HIGH CISA Act Now

In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system.

Command Injection Scadabr
NVD
CVSS 4.0
8.7
EPSS
0.6%
CVE-2026-8602 HIGH CISA Act Now

In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings.

Authentication Bypass Scadabr
NVD
CVSS 4.0
8.8
EPSS
0.1%
CVE-2021-26829 MEDIUM POC KEV THREAT This Month

OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Microsoft XSS Scadabr
NVD
CVSS 3.1
5.4
EPSS
48.0%
CVE-2021-26828 HIGH POC KEV PATCH THREAT This Week

OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Microsoft File Upload Scadabr
NVD GitHub
CVSS 3.1
8.8
EPSS
39.1%
CVE-2019-16344 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in the login form (/ScadaBR/login.htm) in ScadaBR 1.0CE allows a remote attacker to inject arbitrary web script or HTML via the username or password. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Scadabr
NVD
CVSS 3.1
6.1
EPSS
1.0%
CVE-2019-16321 MEDIUM POC This Month

ScadaBR 1.0CE, and 1.1.x through 1.1.0-RC, has XSS via a request for a nonexistent resource, as demonstrated by the dwr/test/ PATH_INFO. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Scadabr
NVD
CVSS 3.1
6.1
EPSS
0.8%
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected cross-site scripting in ScadaBR's URL handling allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser session when the victim clicks a crafted link targeting the ScadaBR web interface. The vulnerability carries a CVSS 6.1 score with Scope:Changed, meaning injected scripts execute in a security context that can affect resources beyond the originating ScadaBR page - particularly significant given ScadaBR's role as a web-based SCADA platform managing industrial control systems. No public exploit code has been identified and it is not listed in the CISA KEV catalog at time of analysis, but the ICS/OT deployment context amplifies the potential operational impact of credential theft or session hijacking.

XSS Scadabr
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Remote code execution in ScadaBR allows authenticated users to abuse exposed server-side methods to create and execute arbitrary JavaScript that runs as root, resulting in full host compromise. The CVSS 9.9 rating reflects scope change and complete confidentiality, integrity, and availability impact, and no public exploit is identified at time of analysis despite the issue being formally reported by Tenable Research (TRA-2026-46).

Command Injection Scadabr
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin.

Authentication Bypass Scadabr
NVD
EPSS 0% CVSS 8.6
HIGH Act Now

In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim's session by luring any logged-in user to a malicious webpage.

CSRF Scadabr
NVD
EPSS 1% CVSS 8.7
HIGH Act Now

In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system.

Command Injection Scadabr
NVD
EPSS 0% CVSS 8.8
HIGH Act Now

In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings.

Authentication Bypass Scadabr
NVD
EPSS 48% CVSS 5.4
MEDIUM POC KEV THREAT This Month

OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Microsoft XSS Scadabr
NVD
EPSS 39% CVSS 8.8
HIGH POC KEV PATCH THREAT This Week

OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Microsoft File Upload Scadabr
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in the login form (/ScadaBR/login.htm) in ScadaBR 1.0CE allows a remote attacker to inject arbitrary web script or HTML via the username or password. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Scadabr
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

ScadaBR 1.0CE, and 1.1.x through 1.1.0-RC, has XSS via a request for a nonexistent resource, as demonstrated by the dwr/test/ PATH_INFO. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Scadabr
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy