Aggregates CVE and security vulnerability intelligence across all scadabr-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Disclosed issues often relate to vendor risk cross-site scripting and vendor risk csrf; exposure may include vendor impact session compromise in vendor surface production workloads and vendor surface software deployment contexts.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-8605 | In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin. | [email protected] | 5.1 | 0.04% | 2026-05-19 | 2026-05-21 |
| CVE-2026-8604 | In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim's session by luring any logged-in user to a malicious webpage. | [email protected] | 8.6 | 0.02% | 2026-05-19 | 2026-05-21 |
| CVE-2026-8603 | In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system. | [email protected] | 8.7 | 0.32% | 2026-05-19 | 2026-05-21 |
| CVE-2026-8602 | In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings. | [email protected] | 8.8 | 0.08% | 2026-05-19 | 2026-05-21 |
| CVE-2025-70973 | ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. As a result, a session created prior to login becomes authenticated once the victim logs in, allowing an attacker who knows the session ID to hijack an authenticated session. | [email protected] | 4.8 | 0.05% | 2026-03-09 | 2026-04-07 |
| CVE-2021-26829 KEV | OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm. | [email protected] | 5.4 | 7.56% | 2021-06-11 | 2025-12-01 |
| CVE-2021-26828 KEV | OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm. | [email protected] | 8.8 | 78.43% | 2021-06-11 | 2025-12-04 |
| CVE-2019-16344 | A cross-site scripting (XSS) vulnerability in the login form (/ScadaBR/login.htm) in ScadaBR 1.0CE allows a remote attacker to inject arbitrary web script or HTML via the username or password parameter. | [email protected] | 6.1 | 0.19% | 2019-10-14 | 2024-11-21 |
| CVE-2019-16321 | ScadaBR 1.0CE, and 1.1.x through 1.1.0-RC, has XSS via a request for a nonexistent resource, as demonstrated by the dwr/test/ PATH_INFO. | [email protected] | 6.1 | 0.24% | 2019-09-15 | 2024-11-21 |