CVE-2026-27870
MediumCVSS 4.8Exploitation Probability (EPSS)
Low risk21th percentile — higher than 21% of all known CVEs
Summary
A Cross-Site Scripting (XSS) vulnerability in the Regesta Smart HD-PLC device from Teldat allows an authenticated network attacker to inject arbitrary JavaScript via the 'Hostname' field in the configuration file. The script executes in the context of the /upgrade/query.php?cmd=p+3%3Bversion path.
Risk Assessment
The risk includes potential session hijacking, credential theft, or unauthorized actions in the management interface, which could compromise network security.
Recommendation
Immediately update the Regesta Smart HD-PLC firmware to a version later than 11.02.05.10.02 and restrict network access to the management interface to trusted hosts only.
Original NVD description (English source)
An attacker with access via network to the Regesta Smart HD-PLC of the provider Teldat (in this case, registration action IS required) who has the vulnerable software could, introduce arbitrary JavaScript by injecting a Cross-site Scripting (XSS) payload into the 'Hostname' field of the configuration file resulting in a XSS in the path /upgrade/query.php?cmd=p+3%3Bversion. This issue affects Regesta Smart HD-PLC - TLDPH16D2: 11.02.05.10.02.

