Description
A security vulnerability has been detected in Radware Cyber Controller up to 10.11.0. This affects an unknown part of the component HTML Report Generation. The manipulation leads to HTML injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-21
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Radware Cyber Controller, present in all releases up to 10.11.0, permits an attacker to inject arbitrary HTML into the reports it generates. The vulnerability is identified as HTML injection (CWE‑74) and results in client‑side script execution (CWE‑80). Remote users can trigger the defect through the report‑generation API. While the CVE description does not specify authentication requirements, it is inferred that the endpoint may be reachable without credentials, but this inference is not confirmed. The CVE description notes that an exploit has been disclosed publicly and may be used, indicating that attackers have a working exploit available. This can lead to session hijacking, data theft, or defacement of the reporting interface.

Affected Systems

Systems running Radware Cyber Controller versions 10.11.0 or earlier host the vulnerable component. The exact module within the platform is unspecified, but the issue resides in the HTML Report Generation functionality accessible via the web API.

Risk and Exploitability

The CVSS base score of 5.1 indicates a moderate overall risk. The EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. However, the CVE description notes that an exploit has been disclosed publicly and may be used, implying that attackers have access to a working exploit. The flaw requires only network access to the report‑generation endpoint; authentication requirements are not explicitly stated, and it is inferred that the endpoint may be reachable without credentials, but this inference is not guaranteed. Because the vulnerability allows client‑side script execution when a crafted report is viewed, the impact is primarily on users who open the report, and can be mitigated by restricting access to the endpoint or applying defensive coding measures.

Generated by OpenCVE AI on June 22, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • If a vendor‑issued patch or newer release correcting the HTML injection flaw is available, upgrade the Radware Cyber Controller to that version immediately.
  • Until a patch is applied, restrict network access to the report‑generation API so that only trusted, authenticated users can invoke it. Use firewall rules or network segmentation to enforce this limit.
  • Apply defensive coding controls to the report generation process: escape or remove all markup from user‑supplied content, enforce a strict content‑security‑policy header that blocks inline scripts, and consider rendering reports to plain‑text or PDF instead of raw HTML.

Generated by OpenCVE AI on June 22, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Radware Cyber Controller up to 10.11.0. This affects an unknown part of the component HTML Report Generation. The manipulation leads to HTML injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Radware Cyber Controller HTML Report Generation HTML injection
First Time appeared Radware
Radware cyber Controller
Weaknesses CWE-74
CWE-80
CPEs cpe:2.3:a:radware:cyber_controller:*:*:*:*:*:*:*:*
Vendors & Products Radware
Radware cyber Controller
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Radware Cyber Controller
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-23T14:19:25.861Z

Reserved: 2026-06-21T05:57:44.326Z

Link: CVE-2026-12812

cve-icon Vulnrichment

Updated: 2026-06-23T14:02:08.149Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:03:48Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-80

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)