## https://sploitus.com/exploit?id=056A3D64-17F5-5D81-959C-75F016136AE8
# CVE-2026-36226: Advantech WebAccess/SCADA Create New Project User XSS PoC
This repository contains a benign proof of concept for `CVE-2026-36226`, a cross-site scripting issue in Advantech WebAccess/SCADA 8.0-2015.08.16.
This repository is for authorized security research and local reproduction only. Do not use it against systems you do not own or have explicit permission to test.
## Summary
Advantech WebAccess/SCADA 8.0-2015.08.16 contains a cross-site scripting vulnerability in the Admin Dashboard Create New Project User component. The `decryption` field does not sufficiently sanitize or encode user-controlled input before it is rendered in the application, allowing a remote attacker to execute JavaScript in the browser context of an authenticated user.
The public PoC uses harmless alert-based payloads only. It does not include credential theft, session exfiltration, or destructive code.
## Discoverer
Vaibhav D. Barkade
## Affected Product
- Vendor: Advantech
- Product: WebAccess/SCADA
- Version: 8.0-2015.08.16
- Component: Admin Dashboard, Create New Project User
- Field: `decryption`
- Vulnerability type: Cross-Site Scripting
- Attack type: Remote
## Usage
Open the local helper page:
```bash
python3 -m http.server 8000
```
Then browse to:
```text
http://127.0.0.1:8000/poc.html
```
Or copy a payload directly from:
```text
payloads.txt
```
Default benign payload:
```html
">
```
## Manual Verification
1. Log in to an authorized lab instance of Advantech WebAccess/SCADA 8.0-2015.08.16.
2. Open the Admin Dashboard.
3. Navigate to Create New Project User.
4. Paste the benign payload into the `decryption` field.
5. Save or preview the record.
6. If an alert executes in the browser, the field is vulnerable to XSS.
## Impact
Successful exploitation allows browser-side JavaScript execution in the context of a user viewing the affected page. Depending on session configuration and user privileges, this can enable session hijacking, sensitive information disclosure, or actions performed as the victim user.
## Mitigation
- Encode untrusted data before rendering it in HTML, attribute, JavaScript, or URL contexts.
- Validate and reject markup/script input in the `decryption` field.
- Apply a restrictive Content Security Policy.
- Mark session cookies as `HttpOnly`, `Secure`, and `SameSite`.
- Upgrade to a fixed vendor release if available.