A reflected cross-site scripting (XSS) vulnerability exists in URL handling, as reported by Tenable. The vulnerability has been assigned a CVSS 3.1 score of 6.1 (MEDIUM severity). The issue was published to the National Vulnerability Database on May 28, 2026. The weakness is categorized as CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page). No Known Exploited Vulnerabilities (KEV) [truncated]
CVE-2026-9645 documents a critical vulnerability in which authenticated users can create and execute arbitrary JavaScript code on the server with root privileges, enabling complete system compromise. The vulnerability was published to the NVD on 2026-05-28 with a CVSS 3.1 score of 9.9 (CRITICAL). Tenable has published a technical research advisory (TRA-2026-46) documenting this issue. The vendor identity [truncated]
CVE-2026-8604 is a high-severity cross-site request forgery (CSRF) issue affecting ScadaBR 1.2.0. According to the CVE description, an attacker could lure a logged-in user to a malicious webpage and use that user’s authenticated session to trigger privileged actions without their intent. The impact is especially important in environments where ScadaBR is used to manage industrial or operational systems, b [truncated]
CVE-2026-8603 is a high-severity OS command injection issue reported for ScadaBR 1.2.0. According to the CVE description, an attacker could execute commands as root on the SCADA system. The NVD record maps the weakness to CWE-78 and shows a CVSS v4.0 vector indicating network reachability, low attack complexity, no user interaction, and high impacts to confidentiality, integrity, and availability. Because [truncated]
CVE-2026-8602 describes a missing authentication issue in ScadaBR 1.2.0 that can let an unauthenticated attacker send HTTP GET requests to the SCADA system and inject arbitrary sensor readings. Because the issue is reachable over the network and affects integrity and availability, exposed deployments should treat it as high priority.