Details of VAR-202606-0052

ID

VAR-202606-0052

CVE

CVE-2026-46746

TITLE

Siemens' SINEC INS In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2026-019677

DESCRIPTION

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The application does not properly sanitize user input in the /api/sftp/uploadFiles endpoint, allowing the injection of shell command payloads via crafted directory names. These payloads are stored and executed when directory listings are retrieved. This could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system with the privileges of the affected service user (sinecins). - All information handled by the software may be overwritten. - The software may completely shut down

Trust: 1.62

sources: NVD: CVE-2026-46746 // JVNDB: JVNDB-2026-019677

AFFECTED PRODUCTS

vendor:	siemens	model:	sinec ins	scope:	lte	version:	1.0	Trust: 1.0
vendor:	siemens	model:	sinec ins	scope:	eq	version:	1.0	Trust: 1.0
vendor:	シーメンス	model:	sinec ins	scope:	eq	version:	-	Trust: 0.8
vendor:	シーメンス	model:	sinec ins	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	sinec ins	scope:	eq	version:	1.0	Trust: 0.8
vendor:	シーメンス	model:	sinec ins	scope:	lte	version:	1.0 and earlier	Trust: 0.8

sources: JVNDB: JVNDB-2026-019677 // NVD: CVE-2026-46746

CVSS

SEVERITY

CVSSV2

CVSSV3

productcert@siemens.com:	CVE-2026-46746
value:	HIGH
Trust: 1.0
OTHER:	JVNDB-2026-019677
value:	HIGH
Trust: 0.8

productcert@siemens.com:	CVE-2026-46746
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2026-019677
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2026-019677 // NVD: CVE-2026-46746

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.0
problemtype:	OS Command injection (CWE-78) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2026-019677 // NVD: CVE-2026-46746

PATCH

title:

SSA-860189

url:

https://cert-portal.siemens.com/productcert/html/ssa-860189.html

Trust: 0.8

sources: JVNDB: JVNDB-2026-019677

EXTERNAL IDS

db:	NVD	id:	CVE-2026-46746	Trust: 2.6
db:	SIEMENS	id:	SSA-860189	Trust: 1.0
db:	JVNDB	id:	JVNDB-2026-019677	Trust: 0.8

sources: JVNDB: JVNDB-2026-019677 // NVD: CVE-2026-46746

REFERENCES

url:	https://cert-portal.siemens.com/productcert/html/ssa-860189.html	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2026-46746	Trust: 0.8

sources: JVNDB: JVNDB-2026-019677 // NVD: CVE-2026-46746

SOURCES

db:	JVNDB	id:	JVNDB-2026-019677
db:	NVD	id:	CVE-2026-46746

LAST UPDATE DATE

2026-06-19T19:46:08.704000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2026-019677	date:	2026-06-15T02:17:00
db:	NVD	id:	CVE-2026-46746	date:	2026-06-12T18:08:28.793

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2026-019677	date:	2026-06-15T00:00:00
db:	NVD	id:	CVE-2026-46746	date:	2026-06-09T10:16:44