CVE-2026-4293 is a CVSS 5.3 medium-severity cross-site scripting issue affecting Kieback & Peter DDC building controllers. The published description says attacker-controlled JavaScript can execute in the victim’s browser, which can give the attacker control over that browser context. The NVD record was published on 2026-05-20 and was still marked "Awaiting Analysis" in the supplied source snapshot, so def [truncated]
A vulnerability in Kieback&Peter DDC4000 series building automation controllers allows unauthenticated attackers with local access to read password hashes from /etc/passwd. The affected products span ten controller models across two product generations: legacy DDC4002/DDC4100/DDC4200/DDC4200-L/DDC4400 (firmware ≤1.12.14 or ≤1.7.4) and newer DDC4002e/DDC4200e/DDC4400e/DDC4020e/DDC4040e models (firmware ≤1. [truncated]
A critical vulnerability in Kieback&Peter DDC4000 series building automation controllers enables unauthenticated attackers to gain full administrative access due to weak default credentials. Published October 17, 2024, this flaw affects ten product variants across both legacy (EOL) and currently supported controller lines. The CVSS 9.8 score reflects network exploitable, low-complexity attacks requiring n [truncated]
CVE-2024-41717 is a critical path traversal vulnerability in Kieback&Peter DDC4000 series building automation controllers, published on October 17, 2024. The vulnerability allows unauthenticated remote attackers to read arbitrary files on affected systems, with a CVSS 3.1 score of 9.8 (Critical). The flaw affects ten distinct product variants across two controller generations: legacy DDC4002, DDC4100, DDC [truncated]