Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-3010

Summary
Assigner-Microchip
Assigner Org ID-dc3f6da9-85b5-4a73-84a2-2ec90b40fca5
Published At-28 Feb, 2026 | 11:45
Updated At-28 Feb, 2026 | 11:45
Rejected At-
Credits

TimePictra Stored Cross-Site Scripting

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip TimePictra allows Query System for Information.This issue affects TimePictra: from 11.0 through 11.3 SP2.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Microchip
Assigner Org ID:dc3f6da9-85b5-4a73-84a2-2ec90b40fca5
Published At:28 Feb, 2026 | 11:45
Updated At:28 Feb, 2026 | 11:45
Rejected At:
▼CVE Numbering Authority (CNA)
TimePictra Stored Cross-Site Scripting

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip TimePictra allows Query System for Information.This issue affects TimePictra: from 11.0 through 11.3 SP2.

Affected Products
Vendor
Microchip
Product
TimePictra
Collection URL
https://www.microchip.com/en-us/products/clock-and-timing/systems/synchronization-management-monitoring/timepictra-11
Default Status
unaffected
Versions
Affected
  • From 11.0 through 11.3 SP2 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
4.09.3CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N
Version: 4.0
Base score: 9.3
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-54CAPEC-54 Query System for Information
CAPEC ID: CAPEC-54
Description: CAPEC-54 Query System for Information
Solutions
Configurations
Workarounds

Control access to the web application

Exploits
Credits
reporter
Steve Lin
reporter
Bastion Security
Timeline
EventDate
Reported2026-02-04 23:00:00
Event: Reported
Date: 2026-02-04 23:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timepictra-stored-cross-site-scripting
vendor-advisory
Hyperlink: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timepictra-stored-cross-site-scripting
Resource:
vendor-advisory
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:dc3f6da9-85b5-4a73-84a2-2ec90b40fca5
Published At:28 Feb, 2026 | 12:16
Updated At:28 Feb, 2026 | 12:16

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip TimePictra allows Query System for Information.This issue affects TimePictra: from 11.0 through 11.3 SP2.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.09.3CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 9.3
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-79Secondarydc3f6da9-85b5-4a73-84a2-2ec90b40fca5
CWE ID: CWE-79
Type: Secondary
Source: dc3f6da9-85b5-4a73-84a2-2ec90b40fca5
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timepictra-stored-cross-site-scriptingdc3f6da9-85b5-4a73-84a2-2ec90b40fca5
N/A
Hyperlink: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timepictra-stored-cross-site-scripting
Source: dc3f6da9-85b5-4a73-84a2-2ec90b40fca5
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

3Records found
CVE-2024-43684
Matching Score-6
Assigner-Microchip Technology
ShareView Details
Matching Score-6
Assigner-Microchip Technology
CVSS Score-8.7||HIGH
EPSS-0.22% / 44.30%
||
7 Day CHG+0.06%
Published-04 Oct, 2024 | 19:51
Updated-29 Aug, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery vulnerability in TimeProvider 4100

Cross-Site Request Forgery (CSRF) vulnerability in Microchip TimeProvider 4100 allows Cross Site Request Forgery, Cross-Site Scripting (XSS).This issue affects TimeProvider 4100: from 1.0.

Action-Not Available
Vendor-microchipMicrochipmicrochip
Product-timeprovider_4100_firmwaretimeprovider_4100TimeProvider 4100timeprovider_4100_firmware
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-43687
Matching Score-6
Assigner-Microchip Technology
ShareView Details
Matching Score-6
Assigner-Microchip Technology
CVSS Score-7.7||HIGH
EPSS-2.50% / 85.09%
||
7 Day CHG+1.13%
Published-04 Oct, 2024 | 19:41
Updated-23 May, 2025 | 15:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS vulnerability in bannerconfig endpoint in TimeProvider 4100

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip TimeProvider 4100 (banner config modules) allows Cross-Site Scripting (XSS).This issue affects TimeProvider 4100: from 1.0 before 2.4.7.

Action-Not Available
Vendor-microchipMicrochip
Product-timeprovider_4100timeprovider_4100_firmwareTimeProvider 4100
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-43686
Matching Score-6
Assigner-Microchip Technology
ShareView Details
Matching Score-6
Assigner-Microchip Technology
CVSS Score-5.4||MEDIUM
EPSS-14.11% / 94.21%
||
7 Day CHG+1.69%
Published-04 Oct, 2024 | 19:47
Updated-16 Oct, 2024 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Reflected XSS in TimeProvider 4100 chart component

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip TimeProvider 4100 (data plot modules) allows Reflected XSS.This issue affects TimeProvider 4100: from 1.0 before 2.4.7.

Action-Not Available
Vendor-microchipMicrochip
Product-timeprovider_4100timeprovider_4100_firmwareTimeProvider 4100
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Details not found