Improper XML External Entity Handling in Schneider Electric EBO Software
CVE-2026-1227

7HIGH

Key Information:

Vendor

Schneider Electric
Status
Ecostruxure Building Operation Workstation
Ecostruxure Building Operation Webstation
Vendor
CVE Published:
11 February 2026

What is CVE-2026-1227?

A vulnerability exists in Schneider Electric's EBO software that improperly restricts XML External Entity (XXE) references. An attacker can exploit this flaw by uploading a specially crafted TGML graphics file, potentially leading to unauthorized access to local files and interaction with the EBO system. This exploitation could manifest in significant disruptions, including denial of service conditions. It's crucial for users to implement appropriate security measures to mitigate this risk.

Affected Version(s)

EcoStruxure Building Operation Webstation All 6.x versions prior to 6.0.4.14001 (CP10)

EcoStruxure Building Operation Workstation All 7.0.x versions prior to 7.0.3.2000 (CP1)

References

https://download.schneider-electric.com/files?p_Doc_Ref=S...

CVSS V4

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.