CVE-2026-10058

Vulnerability

A Stored Cross-Site Scripting (XSS) vulnerability exists in the ITS Intelligent SCADA System version 2.1 developed by ITP Technology. An authenticated attacker with administrative privileges can inject persistent JavaScript code into a specific page of the system. The injected code is stored on the server and executed automatically when any user loads that page in their browser [1][2].

Exploitation

The attacker must have valid administrative access to the SCADA system web interface. With this privilege, the attacker can craft malicious JavaScript payload and inject it into a vulnerable input field or parameter on the targeted page. Once submitted and stored, any subsequent user visiting that page will trigger the execution of the injected script in their browser without requiring any further interaction from the victim [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session on the affected SCADA system. This can lead to disclosure of sensitive information displayed on the page, modification of page content, or redirection to malicious sites. The CVSS v3.1 score for this vulnerability is 4.8 (Medium), with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating low confidentiality and integrity impact but with scope change [1][2].

Mitigation

As of the publication date (2026-05-29), no patch or fixed version has been announced by ITP Technology. The affected product is ITS Intelligent SCADA System version 2.1. Until a fix is released, administrators should restrict administrative access to trusted users only, apply strict input validation and output encoding on all user-supplied data, and monitor for any suspicious activity. This vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of disclosure [1][2].