Back to overview

Pilz: Authentication Bypass and Cross-Site-Scripting in PiCtory

VDE-2025-046
Last update
06/30/2025 12:00
Published at
06/30/2025 12:00
Vendor(s)
Pilz GmbH & Co. KG
External ID
PPSA-2025-001
CSAF Document
Download

Summary

PiCtory, a web application to configure the Pilz industrial PC IndustrialPI, has three vulnerabilities with varying degrees of severity. The first two are of critical severity and can lead to a bypass of authentication and a cross-site-scripting attack. The third vulnerability with medium severity puts PiCtory at a risk of a reflected cross-site-scripting attack.

Impact

An unauthenticated attacker can change the configuration of the PiCtory project. This can lead to unwanted behavior or a Denial of Service.

Affected Product(s)

Model no. Product name Affected versions
Pilz Firmware Bullseye <=2024-08 installed on Pilz Hardware IndustrialPI 4 Pilz Software PiCtory <2.12

Vulnerabilities

Expand / Collapse all

Published
02/09/2026 08:37
Severity
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Authentication Bypass by Primary Weakness (CWE-305)
Summary

KUNBUS PiCtory versions 2.5.0 through 2.11.1 have an authentication bypass vulnerability where a remote attacker can bypass authentication to get access due to a path traversal.

References
cve.org | nvd.nist.gov

Published
02/09/2026 08:37
Severity
9 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Weakness
Improper Neutralization of Server-Side Includes (SSI) Within a Web Page (CWE-97)
Summary

KUNBUS PiCtory version 2.11.1 and earlier are vulnerable when an authenticated remote attacker crafts a special filename that can be stored by API endpoints. That filename is later transmitted to the client in order to show a list of configuration files. Due to a missing escape or sanitization, the filename could be executed as HTML script tag resulting in a cross-site-scripting attack.

References
cve.org | nvd.nist.gov

Published
02/09/2026 08:37
Severity
6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness
Improper Neutralization of Server-Side Includes (SSI) Within a Web Page (CWE-97)
Summary

KUNBUS PiCtory version 2.11.1 and earlier are vulnerable to a cross-site-scripting attack via the sso_token used for authentication. If an attacker provides the user with a PiCtory URL containing an HTML script as an sso_token, that script will reply to the user and be executed.

References
cve.org | nvd.nist.gov

Remediation

Update the PiCtory package to version 2.12 via the 'apt' package manager. Use 'sudo apt update && sudo apt upgrade -y' to pull and install all available updates for the IndustrialPI. To check the version of the pictory package, use 'dpkg -l | grep pictory'.; Limit network access to the IndustrialPI by using a firewall or similar measures.;

Acknowledgments

Pilz GmbH & Co. KG thanks the following parties for their efforts:

Revision History

Version Date Summary
1 06/30/2025 12:00 Initial Version