CVE-2026-25786

Name of the Vulnerable Software and Affected Versions Siemens SIMATIC (affected versions not specified)

Description Devices fail to properly validate and sanitize the PLC/station name rendered on the "communication" parameters page of the web interface. An authenticated attacker with authorization to download a TIA project into the product can inject malicious scripts into this page. When a user with appropriate permissions accesses the "communication" parameters page, the injected code executes within the context of their web session. This is a Cross-Site Scripting (XSS) issue, where malicious scripts are injected into otherwise trusted websites.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.