THREAT OPS › Threat News › [NVD] CVE-2026-25786 (CRITICAL 9.1) — Affected devices do not properly validate and sanitize PLC/station name rendered on the "communication" parameters page of the web interface.
This could allow an authenticated attacker who is authorized to download a TIA project into the product, to inject malicious scripts into
[NVD] CVE-2026-25786 (CRITICAL 9.1) — Affected devices do not properly validate and sanitize PLC/station name rendered on the "communication" parameters page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the product, to inject malicious scripts into
CVE-2026-25786 CVSS: 9.1 CRITICAL Published: 2026-05-12T10:16:44.193
Affected devices do not properly validate and sanitize PLC/station name rendered on the "communication" parameters page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the product, to inject malicious scripts into the page. If a benign user with appropriate righ
Indicators of compromise
- CVE-2026-25786cve
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-25786