Summary
Successful exploitation of these vulnerabilities could allow an authenticated attacker to expose sensitive information or cause a CRLF injection.
The following versions of Subnet Solutions PowerSYSTEM Center are affected:
- PowerSYSTEM Center 2020 <=5.28.x (CVE-2026-35504)
- PowerSYSTEM Center 2020 >=5.8.x|<=5.28.x (CVE-2026-26289)
- PowerSYSTEM Center 2020 >=5.11.x|<=5.28.x (CVE-2026-33570)
- PowerSYSTEM Center 2024 >=6.0.x|<=6.1.x (CVE-2026-26289, CVE-2026-35555, CVE-2026-35504)
- PowerSYSTEM Center 2026 7.0.x (CVE-2026-26289, CVE-2026-35555, CVE-2026-35504)
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 8.2 | Subnet Solutions Inc. | Subnet Solutions PowerSYSTEM Center | Incorrect Authorization, Improper Neutralization of CRLF Sequences (‘CRLF Injection’) |
Background
- Critical Infrastructure Sectors: Critical Manufacturing, Energy
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: Canada
Vulnerabilities
CVE-2026-26289
PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions only.
Affected Products
Subnet Solutions PowerSYSTEM Center
Subnet Solutions Inc.
Subnet Solutions Inc. PowerSYSTEM Center 2020: >=5.8.x|<=5.28.x, Subnet Solutions Inc. PowerSYSTEM Center 2024: >=6.0.x|<=6.1.x, Subnet Solutions Inc. PowerSYSTEM Center 2026: 7.0.x
known_affected
Remediations
Mitigation
Subnet Solutions recommends users update to the latest version of PowerSYSTEM Center PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix.
Mitigation
For assistance in upgrading, users should contact a Subnet Solutions System Integration team member or customer support team at (403) 270-8885 or by email at support@subnet.com.
mailto:support@subnet.com
Mitigation
Subnet Solutions recommends users do the following in order to reduce risk:
Monitor user activity records to ensure users are following acceptable usage policies of the application.
Restrict access to Notification Settings to trusted Administrators Monitor “Send from Address” in settings and Activity Records.
Configure a notification rule that triggers in any bulk account export activity.
Relevant CWE: CWE-863 Incorrect Authorization
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.2 | HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L |
CVE-2026-33570
PowerSYSTEM Center REST API endpoint for devices allows a low privilege authenticated user to access information normally limited by operational permissions.
Affected Products
Subnet Solutions PowerSYSTEM Center
Subnet Solutions Inc.
Subnet Solutions Inc. PowerSYSTEM Center 2020: >=5.11.x|<=5.28.x
Read the original article: