Description
Exposed methods allow authenticated users to create and execute arbitrary JavaScript code on the server. The scripts execute with full access, enabling complete system compromise as commands are executed as root.
Published: 2026-05-28
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows authenticated users to inject and run arbitrary JavaScript code on the SCADA server. Scripts execute with full system privileges, effectively giving the attacker root access and the ability to perform any command or modify critical infrastructure. The weakness corresponds to CWE-78, reflecting insecure execution of system commands without proper validation.

Affected Systems

ScadaBR ScadaBR is the affected product. No specific version information is provided, so all released iterations are potentially vulnerable until an official patch is applied.

Risk and Exploitability

The CVSS score of 9.9 indicates critical severity. EPSS is not available, but the lack of listing in the CISA KEV catalog does not diminish the risk: authenticated users can enact arbitrary code, making exploitation straightforward once access is obtained. The likely attack vector is through legitimate user credentials, implying that internal or compromised accounts can be leveraged to compromise the system.

Generated by OpenCVE AI on May 28, 2026 at 21:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch or upgrade to a fixed version of ScadaBR as soon as one is released.
  • Restrict user permissions to the minimum required to perform their duties, disabling or removing the ability to execute arbitrary scripts where possible.
  • Isolate the SCADA environment from untrusted networks by implementing strict firewall rules and requiring VPN access for remote authentication.
  • Enable comprehensive logging and monitoring of JavaScript execution and system command activity to detect any suspicious actions.

Generated by OpenCVE AI on May 28, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Scadabr
Scadabr scadabr
Vendors & Products Scadabr
Scadabr scadabr

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Exposed methods allow authenticated users to create and execute arbitrary JavaScript code on the server. The scripts execute with full access, enabling complete system compromise as commands are executed as root.
Title ScadaBR Authenticated Remote Code Execution
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Scadabr Scadabr
cve-icon MITRE

Status: PUBLISHED

Assigner: tenable

Published:

Updated: 2026-05-29T14:51:41.509Z

Reserved: 2026-05-26T19:08:24.402Z

Link: CVE-2026-9645

cve-icon Vulnrichment

Updated: 2026-05-29T14:51:35.328Z

cve-icon NVD

Status : Received

Published: 2026-05-28T21:16:34.950

Modified: 2026-05-28T21:16:34.950

Link: CVE-2026-9645

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T21:45:27Z

Weaknesses