Description
OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.21.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS.
Published: 2026-05-08
Score: 9.8 Critical
EPSS: 1.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an OS command injection in the Dashboard Server interface of Universal Robots PolyScope 5. An unauthenticated attacker can craft input that is executed as a system command on the robot, giving full control over the robot’s operating system. This allows arbitrary code execution, compromising confidentiality, integrity, and availability of the robotic system.

Affected Systems

All installations of Universal Robots PolyScope 5 with a version earlier than 5.21.1 are affected.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity. The EPSS score is 1%, indicating a low but non-zero probability of exploitation, but the lack of an authentication requirement means the vulnerability is exploitable for any user with network access to the Dashboard Server endpoint. The vulnerability is not listed in CISA’s KEV catalog, yet the high CVSS suggests a high likelihood of exploitation in environments where the interface is exposed. The attack vector is external network access to the robot’s Dashboard Server.

Generated by OpenCVE AI on May 8, 2026 at 14:36 UTC.

Remediation

Vendor Solution

Update to version 5.21.1 or later, or disable Dashboard Server interface

OpenCVE Recommended Actions

  • Apply the available patch to version 5.21.1 or later.
  • If immediate update is not possible, disable the Dashboard Server interface to prevent unauthenticated access.
  • Restrict network access to the Dashboard Server port, for example by placing the robot behind a firewall or VPN so that only trusted hosts can reach it.

Generated by OpenCVE AI on May 8, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.21.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS.
Title Command injection in Dashboard Server interface
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TRO

Published:

Updated: 2026-05-08T12:47:12.421Z

Reserved: 2026-05-08T08:20:00.514Z

Link: CVE-2026-8153

cve-icon Vulnrichment

Updated: 2026-05-08T12:47:08.605Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-08T12:16:29.977

Modified: 2026-05-08T15:51:23.670

Link: CVE-2026-8153

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T14:45:06Z

Weaknesses