CVE-2021-26829
Published: 11 June 2021
Summary
CVE-2021-26829 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Scadabr Scadabr. Its CVSS base score is 5.4 (Medium).
Operationally, ranked in the top 8.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
OpenPLC ScadaBR is affected by a stored cross-site scripting vulnerability tracked as CVE-2021-26829. The flaw exists in versions through 0.9.1 on Linux and through 1.12.4 on Windows and is triggered via the system_settings.shtm component. It is classified under CWE-79 and carries a CVSS 3.1 base score of 5.4 reflecting network attack vector, low complexity, and required low-privileged authentication combined with user interaction.
An authenticated attacker can supply crafted input that is stored by the application and later rendered for other users. Successful exploitation allows the attacker to execute arbitrary script in the victim's browser session, resulting in limited impacts to confidentiality and integrity within a changed security context while availability remains unaffected.
The issue is listed in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed real-world exploitation. Public references include forum threads on scadabr.com.br that report the security flaws along with demonstration material.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-13614
Vulnerability details
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm.
- CWE(s)
- KEV Date Added
- 28 November 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all input to system_settings.shtm so that attacker-supplied script is rejected or sanitized before storage.
Requires filtering/encoding of all output rendered from stored settings, preventing execution of the persisted XSS payload in victims' browsers.
Enforces access-control decisions on who may write to system_settings.shtm, limiting the population of authenticated users able to inject the malicious payload.