CVE-2026-27870

EUVD-2026-37577

17.06.2026, 13:20

An attacker with access via network to the Regesta Smart HD-PLC of the provider Teldat (in this case, registration action IS required) who has the vulnerable software could, introduce arbitrary JavaScript by injecting a Cross-site Scripting (XSS)  payload into the 'Hostname' field of the configuration file resulting in a XSS in the path /upgrade/query.php?cmd=p+3%3Bversion. This issue affects Regesta Smart HD-PLC - TLDPH16D2: 
11.02.05.10.02.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 39%

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://support.teldat.com/images/content/docs/Teldat_dm1087_regesta_smart_nessum_series_installation(1).pdf

https://support.teldat.com/portal/supportcontent?page=cgs-customer-global-support&none=true&language=en-US

https://www.hackrtu.com/blog/CNA-CVE-2026-27870/

https://www.hackrtu.com/blog/CNA-HRTU-0002/

https://www.teldat.com/es/