We detect you are using an unsupported browser. For the best experience, please visit the site using Chrome, Firefox, Safari, or Edge. X
Maximize Your Experience: Reap the Personalized Advantages by Completing Your Profile to Its Fullest. Update Here
Stay in the loop with the latest from Microchip. Update your profile while you are at it. Update Here
Complete your profile to access more resources. Update Here
Cross-reference search

PSIRT-144: GridTime™ 3000 GNSS Time Server CSRF to XSS

Vulnerability Details

Cross-Site Scripting (XSS) Vulnerability on Several Endpoints by Utilizing Cross-Site Request Forgery (CSRF) in GridTime™ 3000 GNSS Time Server

Improper neutralization of input during POST requests on several API endpoints in the GridTime 3000 allows XSS. This issue affects GridTime 3000: from 1.0r0.03 before 1.2r0.0.

CWE-79

Date of Disclosure: 06/10/2026

Affected Product:  GridTime™ 3000 GNSS Time Server

  • Vulnerability Type: CSRF XSS vulnerability
  • CVE Identifier: CVE-2026-12619
  • CVSS Score:  CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A
    CVSS 4.0 Score: 5.1 / Medium 
  • Vulnerability Description:
    • The GridTime 3000 GNSS Time Server has a XSS vulnerability on several API endpoints that can be triggered via a CSRF
  • Affected Versions: 
    • Firmware 1.0r0.03 through 1.1r0.0
  • Vulnerability Status: 
    • Resolved in firmware release 1.2r0.0

Risk Assessment

Exploitation of the vulnerability allows an attacker with valid credentials to execute a malicious request and introduce a XSS payload.

Mitigation

Upgrade GridTime 3000 GNSS Time Server to the latest firmware

Patch/Release Information

As of the firmware release 1.2r0.0, CSRF protections and parameter sanitization have been improved to not allow execution of arbitrary queries.

Recommendations

It is strongly recommended that all customers upgrade GridTime 3000 GNSS Time Server to firmware version 1.2r0.0 or newer.

Live Chat

Need Help?

Privacy Policy