5465 Total CVEs
26 Years
GitHub
Home / 2026 / CVE-2026-36226
README.md
Rendering markdown...
POC / PUBLIC-POC.md MD
⬇ Raw GitHub ✕ Close 
# CVE-2026-36226: Advantech WebAccess/SCADA decryption Field Cross-Site Scripting

## Summary

Advantech WebAccess/SCADA 8.0-2015.08.16 contains a cross-site scripting vulnerability in the Admin Dashboard Create New Project User component. A remote attacker can place JavaScript-bearing input in the `decryption` field, causing script execution when the value is rendered by the application.

This repository is for authorized security research and local reproduction only. Do not use it against systems you do not own or have explicit permission to test.

## Discoverer

Vaibhav D. Barkade

## Vulnerable Component

- Vendor/Product: Advantech WebAccess/SCADA
- Affected version: 8.0-2015.08.16
- Component: Admin Dashboard, Create New Project User
- Field: `decryption`
- Vulnerability type: Cross-Site Scripting
- Attack type: Remote

## Impact

The vulnerability allows JavaScript execution in the browser context of a user who views the affected value. In a real deployment, this may expose sensitive information, enable session hijacking, or allow actions to be performed with the victim user's privileges.

The public PoC is intentionally benign and uses `alert("CVE-2026-36226")` as the proof of execution.

## Reproduction

Use the benign verification payload:

```html
"><svg/onload=alert("CVE-2026-36226")>
```

Manual steps:

1. Log in to an authorized lab instance of Advantech WebAccess/SCADA 8.0-2015.08.16.
2. Open the Admin Dashboard.
3. Navigate to the Create New Project User component.
4. Place the payload in the `decryption` field.
5. Save or preview the new project user.
6. Observe whether the alert executes when the field is rendered.

## Expected Result

On a vulnerable target, the browser executes the JavaScript payload and displays an alert containing:

```text
CVE-2026-36226
```

## Root Cause

The application renders the `decryption` field without sufficient output encoding for the destination HTML context.

## Mitigation

Apply context-aware output encoding for all user-controlled fields, reject script-bearing input where appropriate, deploy a restrictive Content Security Policy, and set sensitive cookies with `HttpOnly`, `Secure`, and `SameSite` protections.