CVE-2025-41768
MEDIUMTwinCAT.HMI.Server < 14.4.267 - Stored Cross-Site Scripting via Custom CSS Field
Title source: llmDescription
An high privileged remote attacker can inject arbitrary content into the custom CSS field on the affected devices due to improper neutralization of input during web page generation ('Cross-site Scripting').
References (1)
Core 1
Core References
Various Sources
https://certvde.com/de/advisories/VDE-2025-106
Scores
CVSS v3
5.5
EPSS
0.0021
EPSS Percentile
10.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (3)
Beckhoff Automation/TF2000-HMI-Server
0.0.0 - 14.4.267
Beckhoff Automation/tf2000-hmi-server
0.0.0 - 14.4.267
Beckhoff Automation/TwinCAT.HMI.Server
0.0.0 - 14.4.267
Published
Jan 20, 2026
Tracked Since
Feb 18, 2026