This vulnerability (CVE-2026-2404) affects Schneider Electric PowerChute™ Serial Shutdown versions 1.4 and earlier. It is caused by improper encoding or escaping of output (CWE-116) when processing the POST /j_security check request payload. An attacker can exploit this by injecting crafted data into the request, resulting in log injection and forged log entries. The CVSS 4.0 base score is 6.9, reflecting a medium severity with network attack vector, no privileges required, no user interaction, and limited impact on integrity. No vendor-provided patch or remediation level is currently documented.

The vulnerability allows an attacker to inject and forge log entries, potentially misleading administrators or automated systems that rely on logs for monitoring and incident response. This could hinder forensic investigations or conceal malicious activity. There is no indication of direct impact on confidentiality, availability, or system control. No known exploits have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, monitor for updates from Schneider Electric. Since no vendor advisory or patch is currently provided, no specific mitigation steps can be recommended beyond awaiting an official fix.