Description
CWE-116 Improper Encoding or Escaping of Output vulnerability exists that could cause log injection and forged log when an attacker alters the POST /j_security check request payload.
Published: 2026-04-14
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Log Injection
Action: Patch
AI Analysis

Impact

Improper encoding or escaping of output occurs when the appliance processes a POST request to the /j_security check endpoint. An attacker who supplies a crafted payload can inject arbitrary characters into the system logs, forging or misleading log entries. This subverts the integrity of audit trails and can enable malicious activity to be hidden or incident response efforts to be confused.

Affected Systems

All Schneider Electric PowerChute Serial Shutdown devices may be affected, as the issue is tied to the web interface handling of the /j_security check endpoint. No specific sub‑versions are listed, so any firmware or software update that covers the logging issue should be applied to all deployed units.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. Exploit probability is not documented, and the vulnerability is not listed in known exploited vulnerability catalogs. The likely attack vector is network‑based: an attacker would need to manipulate the POST request over HTTP/HTTPS directed to the device’s management interface. Successful exploitation only alters log content; it does not provide direct code execution or system compromise.

Generated by OpenCVE AI on April 14, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released firmware or software update that addresses the log‑encoding issue.
  • Restrict network access to the device’s management interface so only trusted administrators can reach it.
  • Monitor audit logs for abnormal or forged entries that may indicate log injection attempts.
  • Follow vendor guidance to ensure input validation and output encoding are correctly applied on the appliance.

Generated by OpenCVE AI on April 14, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Title Improper Encoding Allows Log Injection in Schneider Electric PowerChute Serial Shutdown

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Schneider-electric
Schneider-electric powerchute Serial Shutdown
Vendors & Products Schneider-electric
Schneider-electric powerchute Serial Shutdown

Tue, 14 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description CWE-116 Improper Encoding or Escaping of Output vulnerability exists that could cause log injection and forged log when an attacker alters the POST /j_security check request payload.
Weaknesses CWE-116
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Schneider-electric Powerchute Serial Shutdown
cve-icon MITRE

Status: PUBLISHED

Assigner: schneider

Published:

Updated: 2026-04-14T16:27:43.927Z

Reserved: 2026-02-12T13:19:03.924Z

Link: CVE-2026-2404

cve-icon Vulnrichment

Updated: 2026-04-14T16:26:39.366Z

cve-icon NVD

Status : Received

Published: 2026-04-14T16:16:39.057

Modified: 2026-04-14T16:16:39.057

Link: CVE-2026-2404

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:30:06Z

Weaknesses