CVE-2026-35504
Medium
Published: 12 May 2026
Published
12 May 2026
Modified
13 May 2026
KEV Added
—
Patch
—
CVSS Score v4
5.1
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score
0.0027
18.3th percentile
Summary
CVE-2026-35504 is a medium-severity CRLF Injection (CWE-93) vulnerability in Cisa (inferred from references). Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Email Spoofing (T1684.002); ranked at the 18.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-29830
Vulnerability details
PowerSYSTEM Center email notification service is affected by a CRLF injection vulnerability when using SMTPS communication.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
T1684.002 Email Spoofing Stealth
Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.
Why these techniques?
CRLF injection in SMTPS email service directly enables SMTP header/command manipulation for email spoofing.
Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0
Affected Assets
Cisa
—
inferred from references and description; NVD did not file a CPE for this CVE
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.