Description
OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS.
Published: 2026-05-08
Score: 9.8 Critical
EPSS: 1.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an OS command injection in the Dashboard Server interface of Universal Robots PolyScope 5. An unauthenticated attacker can send crafted input that is executed as a system command on the robot’s operating system, allowing arbitrary code execution and full compromise of the robot’s confidentiality, integrity, and availability.

Affected Systems

All installations of Universal Robots PolyScope 5 with a version earlier than 5.25.1 are affected.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity. The EPSS score is 1%, indicating a low but non-zero probability of exploitation, but the lack of an authentication requirement means the vulnerability is exploitable for any user with network access to the Dashboard Server endpoint. The vulnerability is not listed in CISA’s KEV catalog, yet the high CVSS suggests a high likelihood of exploitation in environments where the interface is exposed. The attack vector is external network access to the robot’s Dashboard Server.

Generated by OpenCVE AI on May 11, 2026 at 17:48 UTC.

Remediation

Vendor Solution

Update to version 5.25.1 or later, or disable Dashboard Server interface

OpenCVE Recommended Actions

  • Apply the available patch to version 5.25.1 or later.
  • If immediate update is not possible, disable the Dashboard Server interface to prevent unauthenticated access.
  • Restrict network access to the Dashboard Server port, for example by placing the robot behind a firewall or VPN so that only trusted hosts can reach it.

Generated by OpenCVE AI on May 11, 2026 at 17:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.21.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS. OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS.

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Universal Robots
Universal Robots polyscope 5
Vendors & Products Universal Robots
Universal Robots polyscope 5

Fri, 08 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.21.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS.
Title Command injection in Dashboard Server interface
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Universal Robots Polyscope 5
cve-icon MITRE

Status: PUBLISHED

Assigner: TRO

Published:

Updated: 2026-05-11T09:27:08.778Z

Reserved: 2026-05-08T08:20:00.514Z

Link: CVE-2026-8153

cve-icon Vulnrichment

Updated: 2026-05-08T12:47:08.605Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-08T12:16:29.977

Modified: 2026-05-11T10:16:15.380

Link: CVE-2026-8153

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T18:00:14Z

Weaknesses