Description
CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized disclosure of local files, interaction within the EBO system, or denial of service conditions when a local user uploads a specially crafted TGML graphics file to the EBO server from Workstation.
Published: 2026-02-11
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Disclosure of Local Files and Denial of Service
Action: Apply Update
AI Analysis

Impact

This vulnerability is an improper restriction of XML External Entity Reference (CWE-611). When a local user uploads a specially crafted TGML graphics file to the EcoStruxure Building Operation (EBO) server from a workstation, the server processes external XML entities without adequate restriction. This can lead to unauthorized disclosure of local server files, unintended interactions within the EBO system, or even a denial‑of‑service condition. The CVSS score of 7 indicates a high impact potential and moderate difficulty for exploitation based on the information provided.

Affected Systems

Affected systems are Schneider Electric’s EcoStruxure Building Operation Webstation and Workstation. No specific version information is supplied, so all currently deployed versions of these products that handle TGML uploads are potentially exposed.

Risk and Exploitability

The CVSS score of 7 reflects a significant impact if successfully exploited. The EPSS score of less than 1% suggests that, as of now, the likelihood of exploitation is low. Because the attack requires a local user to upload a malicious TGML file, the attack vector is limited to users with access to the workstation. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, which further indicates a lower current threat presence.

Generated by OpenCVE AI on April 17, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch or upgrade whenever an official fix becomes available
  • Disable XML External Entity processing on the EBO server to prevent resolution of external entities
  • Enforce strict validation and whitelisting of TGML files before they are accepted by the server

Generated by OpenCVE AI on April 17, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Title XML External Entity Disclosure in EBO TGML Upload

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Schneider-electric
Schneider-electric ecostruxure Building Operation Webstation
Schneider-electric ecostruxure Building Operation Workstation
Vendors & Products Schneider-electric
Schneider-electric ecostruxure Building Operation Webstation
Schneider-electric ecostruxure Building Operation Workstation

Wed, 11 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 14:00:00 +0000

Type Values Removed Values Added
Description CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized disclosure of local files, interaction within the EBO system, or denial of service conditions when a local user uploads a specially crafted TGML graphics file to the EBO server from Workstation.
Weaknesses CWE-611
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Schneider-electric Ecostruxure Building Operation Webstation Ecostruxure Building Operation Workstation
cve-icon MITRE

Status: PUBLISHED

Assigner: schneider

Published:

Updated: 2026-02-11T14:08:24.750Z

Reserved: 2026-01-20T12:38:23.080Z

Link: CVE-2026-1227

cve-icon Vulnrichment

Updated: 2026-02-11T14:08:18.228Z

cve-icon NVD

Status : Deferred

Published: 2026-02-11T14:16:02.117

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1227

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:30:15Z

Weaknesses