nvd,anchore_overrides
Scadabr
Vulnerabilities
11
Known exploited
2
Critical
1
High
4
Top products
Top vulnerabilities
CVE-2026-9645Exposed methods allow authenticated users to create and execute arbitrary JavaScript code on the server. The scripts execute with full access, enabling complete system compromise as commands are executed as root.
CVE-2026-8602In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings.
CVE-2021-26828OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.
CVE-2026-8603In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system.
CVE-2026-8604In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim's session by luring any logged-in user to a malicious webpage.
CVE-2026-9646A reflected cross-site scripting issue exists in URL handling.
CVE-2019-16344A cross-site scripting (XSS) vulnerability in the login form (/ScadaBR/login.htm) in ScadaBR 1.0CE allows a remote attacker to inject arbitrary web script or HTML via the username or password parameter.
CVE-2019-16321ScadaBR 1.0CE, and 1.1.x through 1.1.0-RC, has XSS via a request for a nonexistent resource, as demonstrated by the dwr/test/ PATH_INFO.
CVE-2021-26829OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm.
CVE-2026-8605In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin.
CVE-2025-70973ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. As a result, a session created prior to login becomes authenticated once the victim logs in, allowing an attacker who knows the session ID to hijack an authenticated session.