CVE-2026-8153
Published: 08 May 2026
Summary
CVE-2026-8153 is a critical-severity OS Command Injection (CWE-78) vulnerability in Universal Robots PolyScope (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-8153 is an OS command injection vulnerability, tracked under CWE-78, that affects the Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1. The flaw resides in the robot controller software and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible unauthenticated exploitation with high impact on confidentiality, integrity, and availability.
An unauthenticated remote attacker can supply specially crafted commands through the Dashboard Server interface and achieve arbitrary code execution on the underlying robot operating system. Successful exploitation grants full control over the robot controller without requiring credentials or user interaction.
The single reference points to Universal Robots documentation describing the Dashboard Server communication protocol; the version information indicates that upgrading PolyScope to 5.25.1 or later removes the vulnerable interface behavior. The associated EPSS score remains flat at 0.0197 with no material increase after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-28548
Vulnerability details
OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in unauthenticated public-facing Dashboard Server interface directly enables remote code execution on the robot's Unix-based OS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all inputs to the Dashboard Server interface, blocking the crafted OS commands that trigger CWE-78 injection.
Enforces that only authenticated and authorized subjects may invoke commands on the robot OS, eliminating the unauthenticated code-execution path.
Mandates prompt application of the PolyScope 5.25.1+ update that removes the vulnerable Dashboard Server behavior before exploitation can occur.