Beckhoff: XSS Vulnerability in TwinCAT 3 HMI Server_CVE-2025-41768

5.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Description

On an instance of TwinCAT 3 HMI Server running on a device an authenticated administrator can inject arbitrary content into the custom CSS field which is persisted on the device and later returned via the login page and error page.

Basic Information

ID CVE-2025-41768

Source CERTVDE

Published Jan 20, 2026 at 08:02

Affected Product

Vendor Beckhoff Automation

Product TwinCAT.HMI.Server

Version 0.0.0

Affected Versions Beckhoff Automation TwinCAT.HMI.Server 0.0.0
Beckhoff Automation TF2000-HMI-Server 0.0.0
Beckhoff Automation tf2000-hmi-server 0.0.0

CWE Classification

CWE-79

References

certvde.com /de/advisories/VDE-2025-106

{
    "lastseen": "",
    "description": "On an instance of TwinCAT 3 HMI Server running on a device an authenticated administrator can inject arbitrary content into the custom CSS field which is persisted on the device and later returned via the login page and error page.",
    "published": "2026-01-20T08:02:53.356Z",
    "modified": "2026-01-20T08:02:53.356Z",
    "type": "cve",
    "title": "Beckhoff: XSS Vulnerability in TwinCAT 3 HMI Server",
    "source": "CERTVDE",
    "references": "https://certvde.com/de/advisories/VDE-2025-106",
    "id": "CVE-2025-41768",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "Beckhoff Automation TwinCAT.HMI.Server 0.0.0\nBeckhoff Automation TF2000-HMI-Server 0.0.0\nBeckhoff Automation tf2000-hmi-server 0.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "TwinCAT.HMI.Server",
    "version": "0.0.0",
    "vendor": "Beckhoff Automation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}