CRLF Injection Vulnerability in PowerSYSTEM Center Email Notification Service by Vendor
CVE-2026-35504

5.1MEDIUM

Key Information:

Vendor: Subnet Solutions
Status: Powersystem Center 2020; Powersystem Center 2024; Powersystem Center 2026
Vendor: CVE Published:; 12 May 2026

🔔 Create Subnet Solutions Vulnerability Alert

What is CVE-2026-35504?

The PowerSYSTEM Center email notification service is susceptible to a CRLF injection vulnerability when utilizing SMTPS for email communications. This flaw allows an attacker to manipulate the headers of the emails, leading to potential redirection of responses and unauthorized access. Proper sanitization of input can mitigate this risk, ensuring the integrity and confidentiality of email transmissions.

Affected Version(s)

PowerSYSTEM Center 2020 0 <= 5.28.x

PowerSYSTEM Center 2024 6.0.x <= 6.1.x

PowerSYSTEM Center 2026 7.0.x

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-1...

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 16, 2026

Credit

Kelly Stich of Subnet Solutions Inc. reported these vulnerabilities to CISA.

CVE-2026-35504 Data

JSON