CVE-2026-22322

Vulnerability

A stored cross‑site scripting (XSS) flaw exists in the Link Aggregation (LAG) configuration interface of Phoenix Contact FL SWITCH 2xxx/TSN 23xx/59xx series and FL NAT devices running firmware versions prior to 3.53. The underlying web management application fails to sanitize user-supplied input when creating a trunk entry, allowing an unauthenticated remote attacker to store malicious HTML or JavaScript code on the device [1].

Exploitation

An attacker can craft a request to add a trunk group whose name or other parameter contains arbitrary script code. No authentication is required to reach the vulnerable endpoint. When any user (including an authenticated administrator) subsequently views the LAG configuration page, the injected script executes in the context of the victim’s browser session [1]. The session cookie is protected by the httpOnly flag, so the script cannot directly steal the cookie, but it can still perform other actions (e.g., modifying interface settings) through authenticated API calls that the victim’s browser is allowed to make.

### Impact & Mitigation Successful exploitation enables an attacker to perform unauthorized interface manipulations within the same browser session as an authenticated administrator. The vendor has addressed the issue in firmware version 3.53; devices running older firmware (3.50 and earlier) are affected [1]. Users should update to the latest firmware release immediately. No workarounds are described in the advisory.