PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9646 ScadaBR CVE debrief

A reflected cross-site scripting (XSS) vulnerability exists in URL handling, as reported by Tenable. The vulnerability has been assigned a CVSS 3.1 score of 6.1 (MEDIUM severity). The issue was published to the National Vulnerability Database on May 28, 2026. The weakness is categorized as CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page). No Known Exploited Vulnerabilities (KEV) entry exists for this CVE, and no ransomware campaign use has been documented. The affected vendor and product remain unidentified based on available source data.

Vendor
ScadaBR
Product
Unknown
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Web application security teams, developers handling URL parameter processing, security operations centers monitoring for XSS exploitation attempts

Technical summary

Reflected cross-site scripting vulnerability in URL handling. Attack vector: network. Attack complexity: low. Privileges required: none. User interaction: required. Scope: changed. Impact: low confidentiality, low integrity, no availability impact.

Defensive priority

medium

Recommended defensive actions

  • Review Tenable's security advisory for technical details and affected product identification
  • Apply vendor-supplied patches when available
  • Implement Content Security Policy (CSP) headers to mitigate XSS impact
  • Validate and sanitize all URL parameters in web applications
  • Monitor for vendor security advisories related to this CVE

Evidence notes

Source data indicates this vulnerability was reported by Tenable via [email protected]. The CVE record status is 'Received' in NVD, indicating initial processing. Vendor identification is marked low confidence due to absence of explicit vendor/product fields in source data; 'Unknown Vendor' is derived from reference domain analysis.

Official resources

public