CVE-2026-25787

Name of the Vulnerable Software and Affected Versions Siemens SIMATIC WinCC (affected versions not specified)

Description Devices fail to properly validate and sanitize the Technology Object (TO) name rendered on the "Motion Control Diagnostics" page of the web interface. This allows an authenticated attacker with permissions to download a TIA project into the product to inject malicious scripts into the page. When a user with appropriate rights accesses the "Motion Control Diagnostics" parameters page, the malicious code executes within the context of their web session. This is a Cross-Site Scripting (XSS) issue, where an attacker injects client-side scripts into web pages viewed by other users.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.