CVE-2026-9646

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in URL handling within ScadaBR, as described in [1]. The issue is triggered when a user visits a crafted URL containing malicious script code. Affected versions include all versions of ScadaBR, as the project is unmaintained and no fix has been released [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by crafting a malicious URL that includes JavaScript code in a parameter. The attacker must then trick a logged-in user into clicking the link (e.g., via phishing or social engineering). No authentication is required to craft the exploit, and the victim does not need any special privileges [1].

Impact

Successful exploitation results in the execution of arbitrary JavaScript in the victim's browser within the context of the ScadaBR application. This can lead to disclosure of sensitive information, session hijacking, or actions performed on behalf of the victim user. The CVSS v3 base score is 6.1 (Medium) with impacts to confidentiality and integrity at a low level [1].

Mitigation

No fix is currently available, and the ScadaBR project appears to be unmaintained [1]. Users should consider migrating to an alternative SCADA solution or implementing web application firewall (WAF) rules to filter malicious URLs as a temporary workaround. The vulnerability is not known to be listed in CISA's KEV.