Description
Cross Site Scripting vulnerability in Advantech WebAccess/SCADA 8.0-2015.08.16 allows a remote attacker to obtain sensitive information via the decryption field in the Create New Project User component
Published: 2026-05-22
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CVE describes a cross‑site scripting flaw in the decryption field of the Create New Project User component within Advantech WebAccess/SCADA 8.0‑2015.08.16. A remote attacker can inject malicious script that is executed in the victim’s browser, potentially allowing the attacker to read or exfiltrate sensitive information. The vulnerability corresponds to improper input validation (CWE‑79).

Affected Systems

Advantech WebAccess/SCADA 8.0‑2015.08.16 is the only affected version recorded. No other vendor or product information is available in the CVE data.

Risk and Exploitability

The likely attack vector is via the web interface, entering malicious input into the decryption field of the Create New Project User component. It is inferred that the vulnerability could be triggered without prior authentication if the component is publicly reachable. The absence of an EPSS score and the lack of listing in the CISA KEV catalog suggest that no publicly documented exploits are known, but the XSS nature poses a significant risk to exposed systems. The CVSS score of 6.1 indicates moderate severity. The risk level should be considered moderate to high until a vendor patch is applied.

Generated by OpenCVE AI on May 22, 2026 at 19:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Advantech WebAccess/SCADA patch that fixes the XSS vulnerability in the decryption field of the Create New Project User component.
  • If a patch is not yet available, temporarily restrict or disable access to the Create New Project User component until the vulnerability is resolved.
  • Implement server‑side input validation and proper output encoding for the decryption field to mitigate XSS risks until an official fix is applied.

Generated by OpenCVE AI on May 22, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 20:15:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in Advantech WebAccess/SCADA Decryption Field Enables Sensitive Data Disclosure
First Time appeared Advantech
Advantech webaccess/scada
Vendors & Products Advantech
Advantech webaccess/scada

Fri, 22 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description Cross Site Scripting vulnerability in Advantech WebAccess/SCADA 8.0-2015.08.16 allows a remote attacker to obtain sensitive information via the decryption field in the Create New Project User component
References

Subscriptions

Advantech Webaccess/scada
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-22T17:33:38.680Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36226

cve-icon Vulnrichment

Updated: 2026-05-22T17:33:34.508Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T20:00:13Z

Weaknesses