Description
CWE‑94: Improper Control of Generation of Code vulnerability exists that could cause execution of untrusted or unintended code within the application when maliciously crafted design content is processed through a TGML graphics file.
Published: 2026-02-11
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

An improper control of code generation flaw allows a maliciously crafted TGML graphics file to cause the EcoStruxure Building Operation application to execute unintended code. The vulnerability can lead to arbitrary code execution within the application process, potentially enabling attackers to read or modify data, hijack system controls, or compromise the host whose application generates code from TGML content.

Affected Systems

The affected products are Schneider Electric's EcoStruxure Building Operation Webstation and Workstation. No specific version information is listed, so any deployed instance of these products that processes TGML files may be vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 7, indicating medium-to-high severity. The EPSS score is below 1 % and it is not listed in CISA's KEV catalog, suggesting that exploit activity is not widespread yet. Attackers would exploit the flaw by supplying a crafted TGML file to the application, either via a local user with file‑upload rights or potentially through a remote web interface if that capability exists. Successful exploitation could lead to full execution of untrusted code within the application, entailing significant confidentiality, integrity, and availability risks.

Generated by OpenCVE AI on April 17, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a vendor‑provided patch or upgrade to a version that fixes the code‑generation control weakness.
  • Limit the ability to upload or process TGML files to privileged or monitored accounts only.
  • Sandbox or otherwise isolate the code‑generation component so that any executed code runs with minimal privileges.
  • If a patch or isolation is not yet available, monitor for and block the transmission of suspicious TGML files in the network traffic to the application.
  • Consider disabling the TGML graphics feature until a fix is applied if the feature is non‑essential.

Generated by OpenCVE AI on April 17, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Title Malicious TGML File Allows Untrusted Code Execution in EcoStruxure Building Operation

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Schneider-electric
Schneider-electric ecostruxure Building Operation Webstation
Schneider-electric ecostruxure Building Operation Workstation
Vendors & Products Schneider-electric
Schneider-electric ecostruxure Building Operation Webstation
Schneider-electric ecostruxure Building Operation Workstation

Wed, 11 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 14:00:00 +0000

Type Values Removed Values Added
Description CWE‑94: Improper Control of Generation of Code vulnerability exists that could cause execution of untrusted or unintended code within the application when maliciously crafted design content is processed through a TGML graphics file.
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Schneider-electric Ecostruxure Building Operation Webstation Ecostruxure Building Operation Workstation
cve-icon MITRE

Status: PUBLISHED

Assigner: schneider

Published:

Updated: 2026-02-11T14:07:27.708Z

Reserved: 2026-01-20T12:38:21.548Z

Link: CVE-2026-1226

cve-icon Vulnrichment

Updated: 2026-02-11T14:07:23.696Z

cve-icon NVD

Status : Deferred

Published: 2026-02-11T14:16:01.973

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1226

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:30:15Z

Weaknesses