RCE in Schneider Electric Ecostruxure Building Operation Webstation
CVE-2026-1226
CWE‑94: Improper Control of Generation of Code vulnerability exists that could cause execution of untrusted or unintended code within the application when maliciously crafted design content is processed through a TGML graphics file.
Vulnerability class: RCE (Remote Code Execution)
EPSS: 0.001 (3.0th percentile) — read the EPSS interpretation.
Affected products
- Schneider Electric Ecostruxure Building Operation Webstation — versions All 6.0.x versions prior to 6.0.4.7000 (CP5)
- Schneider Electric Ecostruxure Building Operation Workstation — versions All 7.0.x versions prior to 7.0.2