CVE Catalog

CVE-2026-27870

MediumCVSS 4.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

21th percentile — higher than 21% of all known CVEs

Summary

A Cross-Site Scripting (XSS) vulnerability in the Regesta Smart HD-PLC device from Teldat allows an authenticated network attacker to inject arbitrary JavaScript via the 'Hostname' field in the configuration file. The script executes in the context of the /upgrade/query.php?cmd=p+3%3Bversion path.

Risk Assessment

The risk includes potential session hijacking, credential theft, or unauthorized actions in the management interface, which could compromise network security.

Recommendation

Immediately update the Regesta Smart HD-PLC firmware to a version later than 11.02.05.10.02 and restrict network access to the management interface to trusted hosts only.

Original NVD description (English source)

An attacker with access via network to the Regesta Smart HD-PLC of the provider Teldat (in this case, registration action IS required) who has the vulnerable software could, introduce arbitrary JavaScript by injecting a Cross-site Scripting (XSS)  payload into the 'Hostname' field of the configuration file resulting in a XSS in the path /upgrade/query.php?cmd=p+3%3Bversion. This issue affects Regesta Smart HD-PLC - TLDPH16D2: 11.02.05.10.02.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS