CVE-2025-41768 Beckhoff: XSS Vulnerability in TwinCAT 3 HMI Server

🗓️ 20 Jan 2026 08:02:53Reported by CERTVDEType

Admin can inject arbitrary CSS in TwinCAT 3 HMI Server, persisted and shown on login and error pages.

Reporter	Title	Published	Views	Family All 9
ATTACKERKB	CVE-2025-41768	20 Jan 202608:02	–	attackerkb
Circl	CVE-2025-41768	20 Jan 202608:04	–	circl
CNNVD	Beckhoff Automation TwinCAT 3 HMI Server Cross-site Scripting Vulnerability	20 Jan 202600:00	–	cnnvd
CVE	CVE-2025-41768	20 Jan 202608:02	–	cve
EUVD	EUVD-2026-3464	20 Jan 202608:02	–	euvd
NVD	CVE-2025-41768	20 Jan 202609:15	–	nvd
Positive Technologies	PT-2026-3546	20 Jan 202600:00	–	ptsecurity
RedhatCVE	CVE-2025-41768	21 Jan 202608:35	–	redhatcve
Vulnrichment	CVE-2025-41768 Beckhoff: XSS Vulnerability in TwinCAT 3 HMI Server	20 Jan 202608:02	–	vulnrichment

[
  {
    "defaultStatus": "unaffected",
    "product": "TwinCAT.HMI.Server",
    "vendor": "Beckhoff Automation",
    "versions": [
      {
        "lessThan": "14.4.267",
        "status": "affected",
        "version": "0.0.0",
        "versionType": "semver"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "TF2000-HMI-Server",
    "vendor": "Beckhoff Automation",
    "versions": [
      {
        "lessThan": "14.4.267",
        "status": "affected",
        "version": "0.0.0",
        "versionType": "semver"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "tf2000-hmi-server",
    "vendor": "Beckhoff Automation",
    "versions": [
      {
        "lessThan": "14.4.267",
        "status": "affected",
        "version": "0.0.0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
certvde	www.certvde.com/de/advisories/VDE-2025-106

12 Feb 2026 09:00Current

CVSS 3.15.5

EPSS0.00207

CWE-79