Zero Day MonitorZDM

← Back to list

4.3

CVE-2026-46747EXPLOITEDPATCHED

siemens · sinec ins

CVE-2026-46747: A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application does not p

Description

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application does not properly sanitize path input in the `GET /api/sftp/uploadFiles` endpoint used for directory listing. This allows path traversal through crafted input, enabling access to unintended file system locations.

Affected Products

Vendor	Product	Versions
siemens	sinec ins	0

References

https://cert-portal.siemens.com/productcert/html/ssa-860189.html

Related News (1 articles)

Tier C

VulDB7h ago

CVE-2026-46747 | Siemens SINEC INS up to 1.0 SP2 Update 5 /api/sftp/uploadFiles path traversal (ssa-860189)

→ No new info (linked only)

CVSS 3.14.3 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

V1.0 SP2 Update 6

CWECWE-26

PublishedJun 9, 2026

Last enriched7h agov2

Tags

path traversal

Trending Score41

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2025-40808EXP

CVE-2025-40808: A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions), SIPROTEC 5 6MD85 (CP200) (All versions),

HIGHCVE-2026-46748EXP

CVE-2026-46748: A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected system includes a bina

HIGHCVE-2026-46746EXP

CVE-2026-46746: A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The application does not properly s

HIGHCVE-2026-24349

CVE-2026-24349: A vulnerability has been identified in SIMATIC WinCC Unified PC Runtime V16 (All versions), SIMATIC WinCC Unified PC Run

HIGHCVE-2026-46749

CVE-2026-46749: A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application uses a pas

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 9, 2026

Discovered by ZDM

Jun 9, 2026

Updated: affectedVersions, severity, activelyExploited, tags

Jun 9, 2026

Actively Exploited

Jun 9, 2026

Patch Available

Jun 9, 2026

Version History

v2

Last enriched 7h ago

v2Tier C7h ago

Updated affected versions to include 1.0 SP2 Update 5, changed severity to HIGH, marked as actively exploited, and added new tag 'path traversal'.

affectedVersionsseverityactivelyExploitedtags

via VulDB

v17h ago

Initial creation