CVE-2026-10057

Vulnerability

ITS Intelligent SCADA System developed by ITP Technology, version 2.1 [1][2], contains a stored cross-site scripting (XSS) vulnerability (CVE-2026-10057). The flaw allows an attacker who has already obtained administrative privileges to inject persistent JavaScript code into a specific page, which is then executed in users' browsers whenever that page is loaded [1][2].

Exploitation

To exploit this vulnerability, an attacker must first have administrative access to the ITS Intelligent SCADA System [1][2]. With that privilege, the attacker can inject malicious JavaScript code into a vulnerable page that will be stored on the server. The injected script is automatically executed when any user (including other administrators or lower-privileged users) visits the affected page. No further user interaction beyond loading the page is required for the injected script to run [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session on the SCADA system [1][2]. The CVSS v3.1 vector is AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating low impact to confidentiality and integrity, and no impact to availability [1][2]. The attacker could potentially perform actions on behalf of the victim, steal session tokens, or deface the page, but the scope is changed meaning the injected script can impact resources beyond the vulnerable component, though with low confidentiality and integrity impact due to the necessary privileges and user interaction [1][2].

Mitigation

As of the publication date (2026-05-29), no patch or vendor fix has been disclosed in the available references [1][2]. Users of ITS Intelligent SCADA System version 2.1 should monitor ITP Technology for an update or security advisory. No workaround is described in the references. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.