THREATOPS
THREAT OPSThreat News › [NVD] CVE-2026-25786 (CRITICAL 9.1) — Affected devices do not properly validate and sanitize PLC/station name rendered on the "communication" parameters page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the product, to inject malicious scripts into

[NVD] CVE-2026-25786 (CRITICAL 9.1) — Affected devices do not properly validate and sanitize PLC/station name rendered on the "communication" parameters page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the product, to inject malicious scripts into

lownvdPublished 2026-05-12

CVE-2026-25786 CVSS: 9.1 CRITICAL Published: 2026-05-12T10:16:44.193

Affected devices do not properly validate and sanitize PLC/station name rendered on the "communication" parameters page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the product, to inject malicious scripts into the page. If a benign user with appropriate righ

Indicators of compromise

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-25786