VYPR
Vendor

Pilz

Products
8
CVEs
7
Across products
10
Status
Private

Products

8

Recent CVEs

7
  • CVE-2018-19009HigJan 25, 2019
    risk 0.51cvss 7.8epss 0.00

    Pilz PNOZmulti Configurator prior to version 10.9 allows an authenticated attacker with local access to the system containing the PNOZmulti Configurator software to view sensitive credential data in clear-text. This sensitive data is applicable to only the PMI m107 diag HMI…

  • CVE-2020-12067HigDec 26, 2022
    risk 0.49cvss 7.5epss 0.01

    In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), a user's password may be changed by an attacker without knowledge of the current password.

  • CVE-2022-40977HigNov 24, 2022
    risk 0.49cvss 7.5epss 0.01

    A path traversal vulnerability was discovered in Pilz PASvisu Server before 1.12.0. An unauthenticated remote attacker could use a zipped, malicious configuration file to trigger arbitrary file writes ('zip-slip'). File writes do not affect confidentiality or availability.

  • CVE-2022-40976MedNov 24, 2022
    risk 0.36cvss 5.5epss 0.00

    A path traversal vulnerability was discovered in multiple Pilz products. An unauthenticated local attacker could use a zipped, malicious configuration file to trigger arbitrary file writes ('zip-slip'). File writes do not affect confidentiality or availability.

  • CVE-2019-9011MedDec 26, 2022
    risk 0.34cvss 5.3epss 0.00

    In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), an attacker can identify valid usernames.

  • CVE-2023-45795Jun 22, 2026
    risk 0.00cvss epss 0.00

    A cross-site scripting vulnerability in the Builder Component of Pilz PASvisu before 1.14.1 allows a local unauthenticated attacker to inject malicious javascript and gain full control over the device.

  • CVE-2023-45796Jun 22, 2026
    risk 0.00cvss epss 0.00

    A stored cross-site scripting vulnerability in the Runtime component of Pilz PASvisu before 1.14.1 and PMI v8xx up to and including 2.0.33992 allows a low-privileged remote unauthenticated attacker to manipulate process data with potential impact on integrity and/or availability.