CVE-2021-26828
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.
References
Published
Community ground truth
Community verdict
2 verdictsIncludes TruePositive's curated baseline from public sources — community verdicts accrue on top.
to add your verdict.
In line with its CVSS base score.
Field notes & remediation
Verdicts are the quick signal — notes are the evidence and fixes behind them.
- 0
Confirmed exploited in the wild — listed in the CISA KEV catalog (added 2025-12-03). Treat as real and prioritize patching over triage.
Related CVEs
Same weakness — CWE-434 · Unrestricted Upload of Dangerous File Type.
- CVE-2018-15961CVSS 9.8KEVEPSS 100%
Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution.
- CVE-2021-31207CVSS 6.6KEVEPSS 100%
Microsoft Exchange Server Security Feature Bypass Vulnerability
- CVE-2017-12615CVSS 8.1KEVEPSS 100%
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
- CVE-2025-31324CVSS 10KEVEPSS 99%
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
- CVE-2024-50623CVSS 9.8KEVEPSS 99%
In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.
- CVE-2019-8394CVSS 6.5KEVEPSS 64%
Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.