Cyber Resilience

CVE-2026-35504

Medium

Published: 12 May 2026

Published
12 May 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0027 18.3th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-35504 is a medium-severity CRLF Injection (CWE-93) vulnerability in Cisa (inferred from references). Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Email Spoofing (T1684.002); ranked at the 18.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PowerSYSTEM Center email notification service is affected by a CRLF injection vulnerability when using SMTPS communication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1684.002 Email Spoofing Stealth
Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.
Why these techniques?

CRLF injection in SMTPS email service directly enables SMTP header/command manipulation for email spoofing.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

Cisa
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References