8.8

CVE-2026-46746

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The application does not properly sanitize user input in the /api/sftp/uploadFiles endpoint, allowing the injection of shell command payloads via crafted directory names. These payloads are stored and executed when directory listings are retrieved. This could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system with the privileges of the affected service user (sinecins).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SiemensSinec Ins Update- Version <= 1.0
SiemensSinec Ins Version1.0 Updatesp1
SiemensSinec Ins Version1.0 Updatesp2
SiemensSinec Ins Version1.0 Updatesp2_update_1
SiemensSinec Ins Version1.0 Updatesp2_update_2
SiemensSinec Ins Version1.0 Updatesp2_update_3
SiemensSinec Ins Version1.0 Updatesp2_update_4
SiemensSinec Ins Version1.0 Updatesp2_update_5
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.45% 0.358
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
productcert@siemens.com 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
productcert@siemens.com 8.7 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://cert-portal.siemens.com/productcert/html/ssa-860189.html
Vendor Advisory