CVE-2026-46746
CVSS Score
8.8
EPSS Score
0.2%
EPSS Percentile
48th
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The application does not properly sanitize user input in the /api/sftp/uploadFiles endpoint, allowing the injection of shell command payloads via crafted directory names. These payloads are stored and executed when directory listings are retrieved. This could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system with the privileges of the affected service user (sinecins).
| CWE | CWE-78 |
| Vendor | siemens |
| Product | sinec ins |
| Ecosystems | |
| Industries | IndustrialManufacturing |
| Published | Jun 9, 2026 |
| Last Updated | Jun 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for siemens sinec ins
Be the first to know when new high vulnerabilities affecting siemens sinec ins are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
Siemens / SINEC INS
0 < V1.0 SP2 Update 6