CVE-2025-41768
Unknown
Unknown - Not Provided
Persistent CSS Injection in TwinCAT 3 HMI Server by Admin
Vulnerability report for CVE-2025-41768, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-01-20
Last updated on: 2026-02-12
Assigner: CERT VDE
Description
Description
An high privileged remote attacker can inject arbitrary content into the custom CSS field on the affected devices due to improper neutralization of input during web page generation ('Cross-site Scripting').
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| beckhoff | twincat_3_hmi_server | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |