CVE-2021-26829

CVSS 5.4 MEDIUMEPSS 48.0%● KEVCWE-79

Vexday Risk Score

55Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 5.4EPSS 48.0%KEV simPoC —Nuclei —Metasploit —Patch —

Lifecycle

11 Jun 2021Published on NVD

28 Nov 2025Active exploitation (CISA KEV)

Recommendation: Plan a near-term fix — a public PoC already exists.

In short

OpenPLC ScadaBR has a stored cross-site scripting (XSS) vulnerability in its system settings page. An attacker can inject malicious scripts that get saved and executed when other users view the settings, potentially stealing their credentials or session data.

Technical detail

Stored XSS vulnerability in system_settings.shtm allows authenticated or unauthenticated attackers to inject arbitrary JavaScript that persists in the application database. When administrators or other users access the affected page, the malicious script executes in their browser context, enabling session hijacking, credential theft, or further compromise of the SCADA system.

Summary generated and translated by AI from the official description.

OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://forum.scadabr.com.br/t/report-falhas-de-seguranca-em-versoes-do-scadabr/3615/4 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26829 https://www.forescout.com/blog/anatomy-of-a-hacktivist-attack-russian-aligned-group-targets-otics/https://youtu.be/Xh6LPCiLMa8