CVE-2026-0393 PUBLISHED

CODESYS Visualization - Insufficiently Protected Credentials

Assigner: CERTVDE
Reserved: 27.11.2025 Published: 21.05.2026 Updated: 21.05.2026

The affected product may expose credentials remotely between low privileged visualization users during concurrent login operations due to insufficient isolation of authentication data. The vulnerability affects only login operations within an active visualization session.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.9

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	CODESYS
Product	Visualization
Versions	Default: unaffected affected from 1.0.0.0 to 4.10.0.0 (excl.)

Credits

Silvan Schweizer from CTA AG finder

References

https://codesys.csaf-tp.certvde.com/.well-known/csaf/white/2026/advisory2026-07_vde-2026-052.json

Problem Types

CWE-522 Insufficiently Protected Credentials CWE