CVE-2026-25786 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: May 12, 2026
Affected Devices - Stored XSS
Overview
Affected devices contain a stored XSS vulnerability caused by improper validation and sanitization of PLC/station names on the communication parameters page, letting authenticated attackers inject scripts executed in other users' sessions, exploit requires authenticated user with project download rights.
Severity & Score
Impact
Authenticated attackers can execute malicious scripts in other users' sessions, potentially stealing data or performing actions on their behalf.
Mitigation
Update to the latest version with proper input validation and sanitization.
Social Media Activity(2 posts)
š“ CVE-2026-25786 - Critical (9.1) Affected devices do not properly validate and sanitize PLC/station name rendered on the "communication" parameters page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the product,... š https://www.thehackerwire.com/vulnerability/CVE-2026-25786/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-25786 - Critical (9.1) Affected devices do not properly validate and sanitize PLC/station name rendered on the "communication" parameters page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the product,... š https://www.thehackerwire.com/vulnerability/CVE-2026-25786/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-25786
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- stored_xss
- Status
- unconfirmed
- EPSS
- 4.4%
- Social Posts
- 2
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H