GridTime™ 3000 GNSS Time Server CSRF to XSS
Summary
| CVE | CVE-2026-12619 |
|---|---|
| State | PUBLISHED |
| Assigner | Microchip |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-19 16:16:16 UTC |
| Updated | 2026-07-09 16:41:04 UTC |
| Description | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip GridTime 3000 allows Cross-Site Scripting (XSS). This issue affects GridTime 3000: from 1.0r0.03 through 1.1r0.0. |
Risk And Classification
Primary CVSS: v4.0 5.1 MEDIUM from dc3f6da9-85b5-4a73-84a2-2ec90b40fca5
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.001360000 probability, percentile 0.034230000 (date 2026-07-12)
Problem Types: CWE-79 | CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | dc3f6da9-85b5-4a73-84a2-2ec90b40fca5 | Secondary | 5.1 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:A/C... |
| 4.0 | CNA | CVSS | 5.1 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:A |
| 3.1 | [email protected] | Primary | 5.4 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Microchip | Gridtime 3000 | - | All | All | All |
| Operating System | Microchip | Gridtime 3000 Firmware | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Microchip | GridTime 3000 | affected 1.0r0.03 1.1r0.0 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-... | dc3f6da9-85b5-4a73-84a2-2ec90b40fca5 | www.microchip.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Leo Angelo Diamat (Bastion Security Group) (en)
Additional Advisory Data
Solutions
CNA: Upgrade GridTime 3000 GNSS Time Server to the latest firmware. As of the firmware release 1.2r0.0, CSRF protections and parameter sanitization have been improved to not allow execution of arbitrary queries.