Scadabr
by Scadabr
Source repositories
CVEs (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-8605 | Cri | 0.64 | 9.8 | 0.00 | May 19, 2026 | In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin. | ||
| CVE-2026-8603 | Cri | 0.64 | 9.8 | 0.01 | May 19, 2026 | In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system. | ||
| CVE-2026-8602 | Cri | 0.59 | 9.1 | 0.00 | May 19, 2026 | In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings. | ||
| CVE-2026-8604 | Hig | 0.57 | 8.8 | 0.00 | May 19, 2026 | In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim's session by luring any logged-in user to a malicious webpage. | ||
| CVE-2025-70973 | Med | 0.31 | 4.8 | 0.00 | Mar 9, 2026 | ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. As a result, a session created prior to login becomes authenticated once… | ||
| CVE-2021-26828 | 0.18 | — | 0.39 | KEV | Jun 11, 2021 | OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm. | ||
| CVE-2021-26829 | 0.13 | — | 0.48 | KEV | Jun 11, 2021 | OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm. | ||
| CVE-2019-16344 | 0.00 | — | 0.01 | Oct 14, 2019 | A cross-site scripting (XSS) vulnerability in the login form (/ScadaBR/login.htm) in ScadaBR 1.0CE allows a remote attacker to inject arbitrary web script or HTML via the username or password parameter. | |||
| CVE-2019-16321 | 0.00 | — | 0.01 | Sep 15, 2019 | ScadaBR 1.0CE, and 1.1.x through 1.1.0-RC, has XSS via a request for a nonexistent resource, as demonstrated by the dwr/test/ PATH_INFO. |
- risk 0.64cvss 9.8epss 0.00
In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin.
- risk 0.64cvss 9.8epss 0.01
In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system.
- risk 0.59cvss 9.1epss 0.00
In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings.
- risk 0.57cvss 8.8epss 0.00
In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim's session by luring any logged-in user to a malicious webpage.
- risk 0.31cvss 4.8epss 0.00
ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. As a result, a session created prior to login becomes authenticated once…
- risk 0.18cvss —epss 0.39
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.
- risk 0.13cvss —epss 0.48
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm.
- CVE-2019-16344Oct 14, 2019risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) vulnerability in the login form (/ScadaBR/login.htm) in ScadaBR 1.0CE allows a remote attacker to inject arbitrary web script or HTML via the username or password parameter.
- CVE-2019-16321Sep 15, 2019risk 0.00cvss —epss 0.01
ScadaBR 1.0CE, and 1.1.x through 1.1.0-RC, has XSS via a request for a nonexistent resource, as demonstrated by the dwr/test/ PATH_INFO.