CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-12897

criticalcovered by 1 sourcefirst seen 2026-06-25
View CSAF Summary Successful exploitation of this vulnerability could allow a local attacker to disclose information and execute arbitrary code. The following versions of Horner Automation Cscape are affected: Cscape <10.2_SP3 CVSS Vendor Equipment Vulnerabilities v3 7.8 Horner Automation Horner Automation Cscape Out-of-bounds Read Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-12897 Horner Automation Cscape versions prior to 10.2 SP3 are vulnerable to an Out-of-Bounds Read vulnerability through parsing CSP files. Successful exploitation of this vulnerability could allow an attacker to disclose information and execute arbitrary code. View CVE Details Affected Products Horner Automation Cscape Vendor: Horner Automation Product Version: Horner Automation Cscape: <10.2_SP3 Product Status: known_affected Remediations Vendor fix Horner Automation has released Cscape 10.2 SP3 for users to download. Vendor fix For more information, see the Cscape 10.2 SP3 release notes (https://hornerautomation.com/cscape-software-free/cscape-software/). https://hornerautomation.com/cscape-software-free/cscape-software/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 4.0 8.4 HIGH CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Acknowledgments Michael Heinzl reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the intern

CSIRTS triage

What
A vulnerability could allow a local attacker to disclose information and execute arbitrary code.
Who is affected
Users of Horner Automation Cscape versions prior to 10.2 SP3.
Urgency
Critical urgency due to the severity of the vulnerabilities.
Action
Upgrade to Cscape version 10.2 SP3 or later.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-12897

Get an email if CVE-2026-12897 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-12897

CVE.org record

Embed the live status

CVE-2026-12897 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-12897 status](https://www.csirts.com/badge/CVE-2026-12897)](https://www.csirts.com/cve/CVE-2026-12897)