PatchSiren cyber security CVE debrief
CVE-2019-13538 Unknown Vendor CVE debrief
CVE-2019-13538 is a validation flaw in the CODESYS V3 Library Manager. In affected versions prior to 3.5.16.0, the system can display active library content without first checking whether the library is valid, which can allow manipulated library contents to be displayed or executed. The advisory also notes that the issue applies to source libraries, and recommends distributing compiled libraries only.
- Vendor
- Unknown Vendor
- Product
- FESTO
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
Organizations using CODESYS V3 Library Manager or products that bundle it, especially Festo Automation Suite deployments that include affected CODESYS components. Engineering teams that exchange or deploy libraries in industrial automation workflows should also care, particularly where source libraries are used.
Technical summary
According to the source advisory, CODESYS V3 Library Manager versions prior to 3.5.16.0 do not verify library validity before presenting active library content. That creates a path for manipulated libraries to be displayed, and potentially executed, when a user opens or works with them. The advisory identifies the issue as affecting both compiled and source libraries, while strongly recommending distribution of compiled libraries only. The supplied source ties the advisory to Festo Automation Suite packaging, but the underlying flaw is in the CODESYS component itself.
Defensive priority
High. The CVSS score is 8.6 and the source describes a condition that can lead to execution of manipulated content. Remediation should focus on upgrading affected CODESYS components and removing any dependence on vulnerable bundled versions.
Recommended defensive actions
- Update CODESYS V3 Library Manager to version 3.5.16.0 or later.
- If using Festo Automation Suite, install the latest FAS release and follow Festo's connector update guidance.
- Download patched CODESYS releases only from the official CODESYS website.
- Apply vendor installation and update instructions to ensure all security fixes are present.
- Monitor CODESYS security advisories and deploy updates promptly.
- Prefer compiled libraries over source libraries when distributing libraries in operational environments.
Evidence notes
Source evidence comes from the CISA CSAF advisory ICSA-26-076-01 and its revision history, which lists an initial publication on 2026-02-26 and a CISA republication on 2026-03-17. The advisory description states that all versions of CODESYS V3 Library Manager prior to 3.5.16.0 are affected. The source metadata also links the issue to Festo Automation Suite packaging, but the core vulnerability text attributes the flaw to 3S-Smart Software Solutions GmbH CODESYS V3 Library Manager. The vendor field in the supplied corpus is low-confidence and flagged for review, so this debrief avoids asserting a stronger product-vendor relationship than the source supports.
Official resources
-
CVE-2019-13538 CVE record
CVE.org
-
CVE-2019-13538 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA's CSAF advisory for this issue was published on 2026-02-26 and republished on 2026-03-17. The vulnerable software condition itself is defined by the advisory as CODESYS V3 Library Manager versions prior to 3.5.16.0; those advisory date