Cyber Resilience

CVE-2021-26829

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 11 June 2021

Published
11 June 2021
Modified
01 December 2025
KEV Added
28 November 2025
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.0756 92.0th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-26829 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Scadabr Scadabr. Its CVSS base score is 5.4 (Medium).

Operationally, ranked in the top 8.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

OpenPLC ScadaBR is affected by a stored cross-site scripting vulnerability tracked as CVE-2021-26829. The flaw exists in versions through 0.9.1 on Linux and through 1.12.4 on Windows and is triggered via the system_settings.shtm component. It is classified under CWE-79 and carries a CVSS 3.1 base score of 5.4 reflecting network attack vector, low complexity, and required low-privileged authentication combined with user interaction.

An authenticated attacker can supply crafted input that is stored by the application and later rendered for other users. Successful exploitation allows the attacker to execute arbitrary script in the victim's browser session, resulting in limited impacts to confidentiality and integrity within a changed security context while availability remains unaffected.

The issue is listed in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed real-world exploitation. Public references include forum threads on scadabr.com.br that report the security flaws along with demonstration material.

EU & UK References

Vulnerability details

OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm.

CWE(s)
KEV Date Added
28 November 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

scadabr
scadabr
≤ 0.9.1 · ≤ 1.12.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input to system_settings.shtm so that attacker-supplied script is rejected or sanitized before storage.

prevent

Requires filtering/encoding of all output rendered from stored settings, preventing execution of the persisted XSS payload in victims' browsers.

prevent

Enforces access-control decisions on who may write to system_settings.shtm, limiting the population of authenticated users able to inject the malicious payload.

References