Command Injection Vulnerability in SINEC INS by Siemens
CVE-2026-46746
8.7HIGH
What is CVE-2026-46746?
A vulnerability has been found in SINEC INS, where improper sanitization of user input in the /api/sftp/uploadFiles endpoint allows attackers to inject shell command payloads via specially crafted directory names. These payloads can be executed when directory listings are called, potentially enabling authenticated remote attackers to run arbitrary commands on the system with the privileges of the service user (sinecins). This poses a significant security threat to the affected installations.
Affected Version(s)
SINEC INS 0