CVSS: 5.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-13902
https://notcve.org/view.php?id=CVE-2025-13902
10 Mar 2026 — CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause condition where authenticated attackers can have a victim’s browser run arbitrary JavaScript when the victim hovers over a maliciously crafted element on a web server containing the injected payload. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-02.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.9EPSS: 0%CPEs: 2EXPL: 0CVE-2025-13901
https://notcve.org/view.php?id=CVE-2025-13901
10 Mar 2026 — CWE-404 Improper Resource Shutdown or Release vulnerability exists that could cause partial Denial of Service on Machine Expert protocol when an unauthenticated attacker sends malicious payload to occupy active communication channels. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-01.pdf • CWE-404: Improper Resource Shutdown or Release •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2026-1226
https://notcve.org/view.php?id=CVE-2026-1226
11 Feb 2026 — CWE‑94: Improper Control of Generation of Code vulnerability exists that could cause execution of untrusted or unintended code within the application when maliciously crafted design content is processed through a TGML graphics file. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-041-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-041-02.pdf • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2026-1227
https://notcve.org/view.php?id=CVE-2026-1227
11 Feb 2026 — CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized disclosure of local files, interaction within the EBO system, or denial of service conditions when a local user uploads a specially crafted TGML graphics file to the EBO server from Workstation. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-041-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-041-02.pdf • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13905
https://notcve.org/view.php?id=CVE-2025-13905
29 Jan 2026 — CWE-276: Incorrect Default Permissions vulnerability exists that could cause privilege escalation through the reverse shell when one or more executable service binaries are modified in the installation folder by a local user with normal privilege upon service restart. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-02.pdf • CWE-276: Incorrect Default Permissions •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13845 – Schneider Electric EcoStruxure Power Build SSD File Parsing Use-After-Free Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2025-13845
15 Jan 2026 — CWE-416: Use After Free vulnerability that could cause remote code execution when the end user imports the malicious project file (SSD file) into Rapsody. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric EcoStruxure Power Build. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SSD files. The issue results from th... • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-04.pdf • CWE-416: Use After Free •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13844
https://notcve.org/view.php?id=CVE-2025-13844
15 Jan 2026 — CWE-415: Double Free vulnerability exists that could cause heap memory corruption when the end user imports a malicious project file (SSD file) shared by the attacker into Rapsody. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-04.pdf • CWE-415: Double Free •
CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-9997
https://notcve.org/view.php?id=CVE-2025-9997
09 Sep 2025 — CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause command injection in BLMon that is executed in the operating system console when in a SSH session. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-252-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-252-02.pdf • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-9996
https://notcve.org/view.php?id=CVE-2025-9996
09 Sep 2025 — CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause the execution of any shell command when executing a netstat command using BLMon Console in an SSH session. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-252-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-252-02.pdf • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.4EPSS: 0%CPEs: 7EXPL: 0CVE-2025-7746
https://notcve.org/view.php?id=CVE-2025-7746
09 Sep 2025 — CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause an unvalidated data injected by a malicious user potentially leading to modify or read data in a victim’s browser. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-252-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-252-01.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •