Description
Cross Site Scripting vulnerability in iotgateway v.3.0.1 allows a remote attacker to execute arbitrary code via the Log Record Function
Published: 2026-05-11
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site scripting flaw exists in the Log Record Function of iotgateway version 3.0.1. The flaw allows an attacker to inject malicious scripts that are executed in the context of the application, effectively giving the attacker the ability to run arbitrary code on the server. The weakness is a classic input validation flaw identified by CWE‑79, and it can be leveraged to compromise confidentiality, integrity, and availability of the affected system.

Affected Systems

The only system explicitly identified in the advisory is the iotgateway application, version 3.0.1. No additional vendor or product information is provided.

Risk and Exploitability

The CVSS score is 6.1, indicating moderate severity. The lack of an EPSS score and absence from the CISA KEV catalog suggest that exploitation activity has not yet been observed or quantified. Nevertheless, because the vulnerability permits remote code execution, the risk is high. Inferred attack vectors include unsanitized input from the web interface that feeds the Log Record Function; an attacker does not need privileged access to exploit the flaw.

Generated by OpenCVE AI on May 11, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest iotgateway patch or upgrade to a non‑vulnerable release released by the vendor.
  • If a patch is not available, disable the Log Record Function or restrict it to trusted users only to eliminate the vulnerable input surface.
  • Implement robust input validation and output encoding on all data passed to the Log Record Function, following CWE‑79 mitigation guidelines.

Generated by OpenCVE AI on May 11, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Iioter
Iioter iotgateway
Vendors & Products Iioter
Iioter iotgateway

Mon, 11 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Cross‑Site Scripting in iotgateway Log Record Function

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 18:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Cross‑Site Scripting in iotgateway Log Record Function
Weaknesses CWE-79

Mon, 11 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description Cross Site Scripting vulnerability in iotgateway v.3.0.1 allows a remote attacker to execute arbitrary code via the Log Record Function
References

Subscriptions

Iioter Iotgateway
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-11T18:51:43.783Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36906

cve-icon Vulnrichment

Updated: 2026-05-11T18:51:40.147Z

cve-icon NVD

Status : Deferred

Published: 2026-05-11T17:16:32.313

Modified: 2026-05-12T15:05:31.120

Link: CVE-2026-36906

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:23:32Z

Weaknesses