PT-2026-47732 · Siemens · Sinec Ins
Published
2026-06-09
·
Updated
2026-06-09
·
CVE-2026-46746
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
SINEC INS versions prior to V1.0 SP2 Update 6
Description
The application fails to properly sanitize user input at the '/api/sftp/uploadFiles' endpoint. This allows an authenticated remote attacker to inject shell command payloads through crafted directory names. These payloads are stored and subsequently executed when directory listings are retrieved, enabling the execution of arbitrary commands on the underlying operating system with the privileges of the
sinecins service user.Recommendations
Update to version V1.0 SP2 Update 6 or later.
As a temporary mitigation, restrict access to the '/api/sftp/uploadFiles' endpoint.
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sinec Ins