Description
A reflected cross-site scripting issue exists in URL handling.
Published: 2026-05-28
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw triggered by URL handling. An unauthenticated user can supply specially crafted input in a request URL, which the application reflects back into the browser without proper sanitization. If an attacker succeeds, the injected script runs in the victim’s browser, potentially allowing session hijacking, theft of credentials, or defacement of the web interface.

Affected Systems

ScadaBR system implementations are affected. No specific product versions are enumerated in the data, so any deployed instance of ScadaBR that has not yet applied the vendor’s fix is at risk.

Risk and Exploitability

The CVSS score of 6.1 indicates a medium severity issue. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that it is not currently known to be exploited in the wild. The attack vector is client‑side; an attacker would need to entice a user to visit a crafted link, so the risk is highest in social‑engineering or phishing scenarios. While not critical, the impact could compromise confidentiality and integrity of the victim’s session.

Generated by OpenCVE AI on May 28, 2026 at 21:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ScadaBR to the latest release that addresses the reflected XSS issue.
  • If an upgrade is delayed, configure the web server or application layer to encode or escape all user‑supplied URL components before rendering them.
  • Deploy a Web Application Firewall rule set that detects and blocks typical XSS payloads in URL parameters.

Generated by OpenCVE AI on May 28, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Scadabr
Scadabr scadabr
Vendors & Products Scadabr
Scadabr scadabr

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description A reflected cross-site scripting issue exists in URL handling.
Title ScadaBR Unauthenticated Reflected Cross-Site Scripting
Weaknesses CWE-80
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Scadabr Scadabr
cve-icon MITRE

Status: PUBLISHED

Assigner: tenable

Published:

Updated: 2026-05-29T14:44:42.850Z

Reserved: 2026-05-26T19:08:25.382Z

Link: CVE-2026-9646

cve-icon Vulnrichment

Updated: 2026-05-29T14:44:36.695Z

cve-icon NVD

Status : Received

Published: 2026-05-28T21:16:35.087

Modified: 2026-05-28T21:16:35.087

Link: CVE-2026-9646

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T22:30:27Z

Weaknesses