PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6059 NEC Platforms, Ltd. CVE debrief

A cross-site scripting (XSS) vulnerability in Aterm allows arbitrary script execution in the web browser of users accessing the web management interface. The attack requires adjacent network access and user interaction. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS 4.0 vector indicates adjacent network attack vector, low attack complexity, no privileges required, and user interaction required, with low integrity impact. The vulnerability status is currently Deferred in the NVD. NEC has published a security advisory for this issue.

Vendor
NEC Platforms, Ltd.
Product
Aterm WX1800HP
CVSS
MEDIUM 4.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-25
Original CVE updated
2026-05-26
Advisory published
2026-05-25
Advisory updated
2026-05-26

Who should care

Organizations using Aterm devices with web management interfaces enabled; network administrators responsible for edge device security; security teams monitoring for XSS vulnerabilities in network infrastructure.

Technical summary

Cross-site scripting vulnerability in Aterm web management interface. Arbitrary script execution possible via adjacent network access with user interaction. CVSS 4.0 score 4.8 (Medium). Status: Deferred.

Defensive priority

medium

Recommended defensive actions

  • Apply security updates from NEC when available per vendor security advisory
  • Restrict access to Aterm web management interface to trusted adjacent networks only
  • Implement network segmentation to limit exposure of management interfaces
  • Monitor for suspicious activity targeting Aterm management interfaces
  • Review and validate input sanitization on web management interfaces

Evidence notes

Vulnerability description and CVSS scoring derived from official NVD record. Vendor attribution to NEC based on PSIRT reference domain. CWE-79 classification sourced from official vulnerability database entry.

Official resources

2026-05-25