CVE-2026-10057: Stored XSS in ITS Intelligent SCADA System—Privilege Required
ITS Intelligent SCADA System contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users with elevated privileges to inject malicious JavaScript code into the application. Once injected, this code persists in the system and executes automatically whenever other users load affected pages in their browsers. This is distinct from reflected XSS because the payload remains embedded in the application, posing a sustained risk to all users who access the compromised content.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.8 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed in users' browsers upon page load.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10057 is a stored XSS vulnerability in ITP Technology's ITS Intelligent SCADA System (CWE-79). The vulnerability stems from insufficient input validation and output encoding, permitting high-privilege remote attackers to inject JavaScript that persists server-side and executes in victim browsers with the privileges of the authenticated user. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N) reflects network accessibility, high privilege requirement, user interaction dependency, and limited confidentiality and integrity impact.
Business impact
In operational technology environments, SCADA systems govern critical infrastructure. A stored XSS vulnerability could allow a privileged insider or compromised administrator account to modify displayed data, redirect operators, harvest session tokens, or inject false commands that appear legitimate. The scope change (S:C) indicates potential impact beyond the vulnerable component, affecting trust in the system's interface and operator confidence. For organizations relying on ITS for industrial control, this could lead to operational disruption, delayed incident response, or undetected manipulation of control parameters.
Affected systems
ITP Technology's ITS Intelligent SCADA System is affected. No specific version ranges were provided in the source data; verify the vendor advisory to determine which product versions contain this vulnerability and whether patches or mitigations are available.
Exploitability
Exploitation requires high privilege level (PR:H), meaning the attacker must possess administrative or equivalent access. Attack complexity is low (AC:L), and the attack is network-accessible (AV:N). However, user interaction (UI:R) is required—the malicious script only executes when a victim visits the affected page. The combination of privilege requirement and user interaction significantly limits practical exploitation scenarios, though a compromised admin account or insider threat remains a viable attack path.
Remediation
Consult ITP Technology's security advisory for patches or version updates addressing this vulnerability. In parallel, implement input validation on all user-supplied data fields, enforce strict output encoding for all dynamic content, apply a Content Security Policy (CSP) to restrict inline script execution, and review admin account access logs for unauthorized modifications. Restrict administrative access to the principle of least privilege to reduce the risk of compromise.
Patch guidance
Check ITP Technology's official security advisories and vendor portal for available patches. Apply patches to all instances of ITS Intelligent SCADA System according to your change management and system availability windows. Verify patch application through official version checksums or vendor-provided verification tools. Test patches in a non-production environment before deployment to critical systems.
Detection guidance
Monitor web server and application logs for unusual modifications to stored content, including timestamps and user accounts responsible for changes. Audit admin account activity for unexpected page edits or data insertions. Deploy web application firewalls (WAF) configured to detect and block common XSS payloads. Use browser developer tools to inspect stored data for suspicious script tags or event handlers. Implement network segmentation to limit admin access to the SCADA system and reduce lateral movement risk if an admin account is compromised.
Why prioritize this
While the CVSS score of 4.8 is moderate, the stored nature of this XSS and its deployment in an operational technology context elevates operational risk. SCADA systems require high availability and operator trust; any compromise to data integrity or display reliability can have cascading effects. The vulnerability's placement on the KEV catalog is currently false, indicating lower active exploitation pressure, but organizations operating critical infrastructure should still treat this as a priority given the sensitive nature of SCADA environments.
Risk score, explained
The CVSS 3.1 score of 4.8 (MEDIUM) reflects the requirement for high privilege access and user interaction, which significantly constrain exploitation. However, the scope change and persistent nature of the payload warrant organizational context: for critical infrastructure operators, the actual risk may exceed the numerical score due to the downstream impact of compromised SCADA interfaces on physical processes and safety.
Frequently asked questions
Why does this vulnerability require high privilege to exploit?
Stored XSS in SCADA systems typically requires admin or elevated access because these systems restrict who can modify stored data, configuration, or display content. This design choice reduces but does not eliminate risk, especially in organizations with weak access controls or insider threat scenarios.
What is the difference between this stored XSS and a reflected XSS?
Stored XSS persists on the server; every user who accesses the affected page will execute the malicious script. Reflected XSS requires the victim to click a malicious link. Stored XSS is generally considered more dangerous in enterprise environments because it can affect many users without requiring social engineering for each victim.
If I'm not on the KEV catalog, do I still need to patch this?
Yes. The KEV catalog tracks vulnerabilities with evidence of active, in-the-wild exploitation. Absence from the catalog does not mean the vulnerability is unimportant—it reflects current threat intelligence, not severity. A vulnerability targeting critical infrastructure should be prioritized based on organizational risk, not KEV status alone.
How can I detect if this vulnerability has been exploited in my environment?
Review administrative user activity logs for modifications to web pages or stored content, inspect application data for suspicious JavaScript or HTML tags, and monitor network traffic for unusual outbound connections from user browsers after accessing ITS pages. A WAF log analysis and content integrity monitoring can also detect injected payloads.
This analysis is based on publicly disclosed vulnerability data as of June 2026. No exploit code or weaponized proof-of-concept is provided. Organizations should verify patch availability and version applicability directly with ITP Technology before implementing changes. Security measures should be tailored to your operational environment, risk tolerance, and compliance requirements. SEC.co does not provide legal, regulatory, or specific system configuration advice; consult your internal security and compliance teams. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1