Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-1227

Summary
Assigner-schneider
Assigner Org ID-076d1eb6-cfab-4401-b34d-6dfc2a413bdb
Published At-11 Feb, 2026 | 13:45
Updated At-11 Feb, 2026 | 14:08
Rejected At-
Credits

CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized disclosure of local files, interaction within the EBO system, or denial of service conditions when a local user uploads a specially crafted TGML graphics file to the EBO server from Workstation.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:schneider
Assigner Org ID:076d1eb6-cfab-4401-b34d-6dfc2a413bdb
Published At:11 Feb, 2026 | 13:45
Updated At:11 Feb, 2026 | 14:08
Rejected At:
▼CVE Numbering Authority (CNA)

CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized disclosure of local files, interaction within the EBO system, or denial of service conditions when a local user uploads a specially crafted TGML graphics file to the EBO server from Workstation.

Affected Products
Vendor
Schneider Electric SESchneider Electric
Product
EcoStruxure Building Operation Workstation
Default Status
unaffected
Versions
Affected
  • All 7.0.x versions prior to 7.0.3.2000 (CP1)
Vendor
Schneider Electric SESchneider Electric
Product
EcoStruxure Building Operation Webstation
Default Status
unaffected
Versions
Affected
  • All 6.x versions prior to 6.0.4.14001 (CP10)
Problem Types
TypeCWE IDDescription
CWECWE-611CWE-611 Improper Restriction of XML External Entity Reference
Type: CWE
CWE ID: CWE-611
Description: CWE-611 Improper Restriction of XML External Entity Reference
Metrics
VersionBase scoreBase severityVector
4.07.0HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Version: 4.0
Base score: 7.0
Base severity: HIGH
Vector:
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-041-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-041-02.pdf
N/A
Hyperlink: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-041-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-041-02.pdf
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cybersecurity@se.com
Published At:11 Feb, 2026 | 14:16
Updated At:11 Feb, 2026 | 15:27

CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized disclosure of local files, interaction within the EBO system, or denial of service conditions when a local user uploads a specially crafted TGML graphics file to the EBO server from Workstation.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.07.0HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 7.0
Base severity: HIGH
Vector:
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-611Primarycybersecurity@se.com
CWE ID: CWE-611
Type: Primary
Source: cybersecurity@se.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-041-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-041-02.pdfcybersecurity@se.com
N/A
Hyperlink: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-041-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-041-02.pdf
Source: cybersecurity@se.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

7Records found
CVE-2026-1226
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-7||HIGH
EPSS-0.02% / 5.62%
||
7 Day CHG~0.00%
Published-11 Feb, 2026 | 13:49
Updated-11 Feb, 2026 | 15:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CWE‑94: Improper Control of Generation of Code vulnerability exists that could cause execution of untrusted or unintended code within the application when maliciously crafted design content is processed through a TGML graphics file.

Action-Not Available
Vendor-Schneider Electric SE
Product-EcoStruxure Building Operation WorkstationEcoStruxure Building Operation Webstation
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-13905
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-7||HIGH
EPSS-0.01% / 1.53%
||
7 Day CHG~0.00%
Published-29 Jan, 2026 | 15:20
Updated-29 Jan, 2026 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CWE-276: Incorrect Default Permissions vulnerability exists that could cause privilege escalation through the reverse shell when one or more executable service binaries are modified in the installation folder by a local user with normal privilege upon service restart.

Action-Not Available
Vendor-Schneider Electric SE
Product-EcoStruxure™ Process Expert for AVEVA System PlatformEcoStruxure™ Process Expert
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-37200
Matching Score-6
Assigner-Schneider Electric
ShareView Details
Matching Score-6
Assigner-Schneider Electric
CVSS Score-5.5||MEDIUM
EPSS-0.04% / 11.58%
||
7 Day CHG~0.00%
Published-12 Jul, 2023 | 07:11
Updated-07 Nov, 2024 | 14:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause loss of confidentiality when replacing a project file on the local filesystem and after manual restart of the server.

Action-Not Available
Vendor-
Product-ecostruxure_opc_ua_server_expertEcoStruxure OPC UA Server Expert
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-12476
Matching Score-6
Assigner-Schneider Electric
ShareView Details
Matching Score-6
Assigner-Schneider Electric
CVSS Score-8.4||HIGH
EPSS-0.02% / 5.71%
||
7 Day CHG~0.00%
Published-17 Jan, 2025 | 09:42
Updated-12 Feb, 2025 | 17:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause information disclosure, impacts workstation integrity and potential remote code execution on the compromised computer, when specific crafted XML file is imported in the Web Designer configuration tool.

Action-Not Available
Vendor-Schneider Electric SE
Product-Web Designer for BMENOC0321(C)Web Designer for BMXNOE0110(H)Web Designer for BMENOC0311(C)Web Designer for BMXNOR0200H
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-6438
Matching Score-6
Assigner-Schneider Electric
ShareView Details
Matching Score-6
Assigner-Schneider Electric
CVSS Score-5.9||MEDIUM
EPSS-0.05% / 15.48%
||
7 Day CHG~0.00%
Published-11 Jul, 2025 | 09:06
Updated-03 Nov, 2025 | 20:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause manipulation of SOAP API calls and XML external entities injection resulting in unauthorized file access when the server is accessed via the network using an application account.

Action-Not Available
Vendor-Schneider Electric SE
Product-EcoStruxure™ IT Data Center Expert
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-0221
Matching Score-6
Assigner-Schneider Electric
ShareView Details
Matching Score-6
Assigner-Schneider Electric
CVSS Score-5.5||MEDIUM
EPSS-0.23% / 45.52%
||
7 Day CHG~0.00%
Published-28 Mar, 2022 | 16:25
Updated-02 Aug, 2024 | 23:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could result in information disclosure when opening a malicious solution file provided by an attacker with SCADAPack Workbench. This could be exploited to pass data from local files to a remote system controlled by an attacker. Affected Product: SCADAPack Workbench (6.6.8a and prior)

Action-Not Available
Vendor-
Product-scadapack_workbenchSCADAPack Workbench
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-2161
Matching Score-6
Assigner-Schneider Electric
ShareView Details
Matching Score-6
Assigner-Schneider Electric
CVSS Score-5||MEDIUM
EPSS-0.04% / 12.79%
||
7 Day CHG+0.01%
Published-16 May, 2023 | 04:31
Updated-22 Jan, 2025 | 21:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized read access to the file system when a malicious configuration file is loaded on to the software by a local user. 

Action-Not Available
Vendor-Schneider Electric SE
Product-opc_factory_serverOPC Factory Server (OFS)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
Details not found