Scadabr
Monthly
Reflected cross-site scripting in ScadaBR's URL handling allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser session when the victim clicks a crafted link targeting the ScadaBR web interface. The vulnerability carries a CVSS 6.1 score with Scope:Changed, meaning injected scripts execute in a security context that can affect resources beyond the originating ScadaBR page - particularly significant given ScadaBR's role as a web-based SCADA platform managing industrial control systems. No public exploit code has been identified and it is not listed in the CISA KEV catalog at time of analysis, but the ICS/OT deployment context amplifies the potential operational impact of credential theft or session hijacking.
Remote code execution in ScadaBR allows authenticated users to abuse exposed server-side methods to create and execute arbitrary JavaScript that runs as root, resulting in full host compromise. The CVSS 9.9 rating reflects scope change and complete confidentiality, integrity, and availability impact, and no public exploit is identified at time of analysis despite the issue being formally reported by Tenable Research (TRA-2026-46).
In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin.
In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim's session by luring any logged-in user to a malicious webpage.
In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system.
In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings.
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
A cross-site scripting (XSS) vulnerability in the login form (/ScadaBR/login.htm) in ScadaBR 1.0CE allows a remote attacker to inject arbitrary web script or HTML via the username or password. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
ScadaBR 1.0CE, and 1.1.x through 1.1.0-RC, has XSS via a request for a nonexistent resource, as demonstrated by the dwr/test/ PATH_INFO. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Reflected cross-site scripting in ScadaBR's URL handling allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser session when the victim clicks a crafted link targeting the ScadaBR web interface. The vulnerability carries a CVSS 6.1 score with Scope:Changed, meaning injected scripts execute in a security context that can affect resources beyond the originating ScadaBR page - particularly significant given ScadaBR's role as a web-based SCADA platform managing industrial control systems. No public exploit code has been identified and it is not listed in the CISA KEV catalog at time of analysis, but the ICS/OT deployment context amplifies the potential operational impact of credential theft or session hijacking.
Remote code execution in ScadaBR allows authenticated users to abuse exposed server-side methods to create and execute arbitrary JavaScript that runs as root, resulting in full host compromise. The CVSS 9.9 rating reflects scope change and complete confidentiality, integrity, and availability impact, and no public exploit is identified at time of analysis despite the issue being formally reported by Tenable Research (TRA-2026-46).
In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin.
In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim's session by luring any logged-in user to a malicious webpage.
In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system.
In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings.
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
A cross-site scripting (XSS) vulnerability in the login form (/ScadaBR/login.htm) in ScadaBR 1.0CE allows a remote attacker to inject arbitrary web script or HTML via the username or password. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
ScadaBR 1.0CE, and 1.1.x through 1.1.0-RC, has XSS via a request for a nonexistent resource, as demonstrated by the dwr/test/ PATH_INFO. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.