XSS in Schneider Electric Modicon Controllers M241/m251

CVE-2025-13902

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause condition where authenticated attackers can have a victim’s browser run arbitrary JavaScript when the victim…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.001 (21.5th percentile) — read the EPSS interpretation.

Affected products

Schneider Electric Modicon Controllers M241/m251 — versions Versions prior to 5.4.13.12
Schneider Electric Modicon Controllers M258/lmc058 — versions All versions

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

download.schneider-electric.com/files