PatchSiren cyber security CVE debrief
CVE-2026-46746 Siemens CVE debrief
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The application does not properly sanitize user input in the /api/sftp/uploadFiles endpoint, allowing the injection of shell command payloads via crafted directory names. These payloads are stored and executed when directory listings are retrieved. This could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system with the privileges of the affected service user (sinecins).
- Vendor
- Siemens
- Product
- SINEC INS
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-12
Who should care
Users of Siemens SINEC INS versions prior to V1.0 SP2 Update 6.
Technical summary
The vulnerability exists in the /api/sftp/uploadFiles endpoint of SINEC INS, where user input is not properly sanitized, allowing for shell command injection via crafted directory names.
Defensive priority
HIGH
Recommended defensive actions
- Update to SINEC INS V1.0 SP2 Update 6 or later.
- Implement proper input validation and sanitization for user input in the /api/sftp/uploadFiles endpoint.
- Restrict access to the affected endpoint to only necessary users and services.
- Monitor system logs for suspicious activity.
Evidence notes
The vulnerability has a CVSS score of 8.7 and is classified as HIGH severity.
Official resources
-
CVE-2026-46746 CVE record
CVE.org
-
CVE-2026-46746 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-46746 was published on 2026-06-09T10:16:44.000Z and modified on 2026-06-12T18:08:28.793Z.