scadabr 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk cross-site scripting and vendor risk csrf に関連することが多く、vendor surface production workloads and vendor surface software deployment の文脈で vendor impact session compromise などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-8605 | In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin. | [email protected] | 5.1 | 0.39% | 2026-05-19 | 2026-06-17 |
| CVE-2026-8604 | In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim's session by luring any logged-in user to a malicious webpage. | [email protected] | 8.6 | 0.18% | 2026-05-19 | 2026-06-17 |
| CVE-2026-8603 | In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system. | [email protected] | 8.7 | 1.32% | 2026-05-19 | 2026-06-17 |
| CVE-2026-8602 | In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings. | [email protected] | 8.8 | 0.45% | 2026-05-19 | 2026-06-17 |
| CVE-2025-70973 | ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. As a result, a session created prior to login becomes authenticated once the victim logs in, allowing an attacker who knows the session ID to hijack an authenticated session. | [email protected] | 4.8 | 0.20% | 2026-03-09 | 2026-06-17 |
| CVE-2021-26829 KEV | OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm. | [email protected] | 5.4 | 48.05% | 2021-06-11 | 2026-06-16 |
| CVE-2021-26828 KEV | OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm. | [email protected] | 8.8 | 39.10% | 2021-06-11 | 2026-06-16 |
| CVE-2019-16344 | A cross-site scripting (XSS) vulnerability in the login form (/ScadaBR/login.htm) in ScadaBR 1.0CE allows a remote attacker to inject arbitrary web script or HTML via the username or password parameter. | [email protected] | 6.1 | 1.04% | 2019-10-14 | 2026-06-16 |
| CVE-2019-16321 | ScadaBR 1.0CE, and 1.1.x through 1.1.0-RC, has XSS via a request for a nonexistent resource, as demonstrated by the dwr/test/ PATH_INFO. | [email protected] | 6.1 | 0.82% | 2019-09-15 | 2026-06-16 |