Command Injection Vulnerability in SINEC INS by Siemens
CVE-2026-46746

8.7HIGH

Key Information:

Vendor

Siemens

Status
Vendor
CVE Published:
9 June 2026

What is CVE-2026-46746?

A vulnerability has been found in SINEC INS, where improper sanitization of user input in the /api/sftp/uploadFiles endpoint allows attackers to inject shell command payloads via specially crafted directory names. These payloads can be executed when directory listings are called, potentially enabling authenticated remote attackers to run arbitrary commands on the system with the privileges of the service user (sinecins). This poses a significant security threat to the affected installations.

Affected Version(s)

SINEC INS 0

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.