Share
## https://sploitus.com/exploit?id=056A3D64-17F5-5D81-959C-75F016136AE8
# CVE-2026-36226: Advantech WebAccess/SCADA Create New Project User XSS PoC

This repository contains a benign proof of concept for `CVE-2026-36226`, a cross-site scripting issue in Advantech WebAccess/SCADA 8.0-2015.08.16.

This repository is for authorized security research and local reproduction only. Do not use it against systems you do not own or have explicit permission to test.

## Summary

Advantech WebAccess/SCADA 8.0-2015.08.16 contains a cross-site scripting vulnerability in the Admin Dashboard Create New Project User component. The `decryption` field does not sufficiently sanitize or encode user-controlled input before it is rendered in the application, allowing a remote attacker to execute JavaScript in the browser context of an authenticated user.

The public PoC uses harmless alert-based payloads only. It does not include credential theft, session exfiltration, or destructive code.

## Discoverer

Vaibhav D. Barkade

## Affected Product

- Vendor: Advantech
- Product: WebAccess/SCADA
- Version: 8.0-2015.08.16
- Component: Admin Dashboard, Create New Project User
- Field: `decryption`
- Vulnerability type: Cross-Site Scripting
- Attack type: Remote

## Usage

Open the local helper page:

```bash
python3 -m http.server 8000
```

Then browse to:

```text
http://127.0.0.1:8000/poc.html
```

Or copy a payload directly from:

```text
payloads.txt
```

Default benign payload:

```html
">
```

## Manual Verification

1. Log in to an authorized lab instance of Advantech WebAccess/SCADA 8.0-2015.08.16.
2. Open the Admin Dashboard.
3. Navigate to Create New Project User.
4. Paste the benign payload into the `decryption` field.
5. Save or preview the record.
6. If an alert executes in the browser, the field is vulnerable to XSS.

## Impact

Successful exploitation allows browser-side JavaScript execution in the context of a user viewing the affected page. Depending on session configuration and user privileges, this can enable session hijacking, sensitive information disclosure, or actions performed as the victim user.

## Mitigation

- Encode untrusted data before rendering it in HTML, attribute, JavaScript, or URL contexts.
- Validate and reject markup/script input in the `decryption` field.
- Apply a restrictive Content Security Policy.
- Mark session cookies as `HttpOnly`, `Secure`, and `SameSite`.
- Upgrade to a fixed vendor release if available.