PatchSiren cyber security CVE debrief

CVE-2026-9645 ScadaBR CVE debrief

CVE-2026-9645 documents a critical vulnerability in which authenticated users can create and execute arbitrary JavaScript code on the server with root privileges, enabling complete system compromise. The vulnerability was published to the NVD on 2026-05-28 with a CVSS 3.1 score of 9.9 (CRITICAL). Tenable has published a technical research advisory (TRA-2026-46) documenting this issue. The vendor identity remains unconfirmed in available sources, with only a low-confidence domain reference candidate. The weakness is classified as CWE-78 (OS Command Injection), indicating the exposed methods likely permit injection of operating system commands through JavaScript execution contexts. Organizations should prioritize identifying any systems exposing the affected functionality, restrict access to authenticated users only as an interim measure, and apply vendor patches when available. Given the CRITICAL severity and authenticated-but-unprivileged attack vector, this vulnerability poses significant risk in multi-tenant or shared hosting environments where authenticated user separation is security-critical.

Vendor: ScadaBR
Product: Unknown
CVSS: CRITICAL 9.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-28
Original CVE updated: 2026-05-28
Advisory published: 2026-05-28
Advisory updated: 2026-05-28

Who should care

System administrators managing applications with server-side JavaScript execution capabilities, security teams responsible for authenticated user privilege boundaries, cloud hosting providers offering multi-tenant JavaScript runtime environments, and organizations with externally accessible administrative interfaces.

Technical summary

The vulnerability exposes server-side methods that permit authenticated users to create and execute arbitrary JavaScript code. Execution occurs with full system access at the root privilege level. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) indicates network exploitable, low complexity attacks requiring only low privileges with no user interaction, affecting scope and causing high impact across all security properties. CWE-78 (OS Command Injection) classification suggests the underlying weakness involves improper neutralization of special elements used in OS commands.

Defensive priority

critical

Recommended defensive actions

Identify systems potentially exposing server-side JavaScript execution functionality to authenticated users
Restrict network access to affected systems to authorized administrative hosts where possible
Audit authenticated user accounts and implement principle of least privilege for all service accounts
Monitor for anomalous JavaScript execution or child process spawning from application services
Apply vendor security patches immediately upon release; subscribe to vendor security advisories
Review application logs for indicators of unauthorized script creation or execution attempts
Consider implementing additional sandboxing or containerization for server-side JavaScript execution environments

Evidence notes

CVE description confirms authenticated arbitrary JavaScript execution with root privileges. CVSS vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H confirms network attack vector, low attack complexity, low privileges required, no user interaction, changed scope, and high impacts across confidentiality, integrity, and availability. CWE-78 classification from Tenable source. Vendor identification marked low confidence with review flag.

Official resources

2026-05-28