We detect you are using an unsupported browser. For the best experience, please visit the site using Chrome, Firefox, Safari, or Edge. X

Maximize Your Experience: Reap the Personalized Advantages by Completing Your Profile to Its Fullest. Update Here

Stay in the loop with the latest from Microchip. Update your profile while you are at it. Update Here

Complete your profile to access more resources. Update Here

PSIRT-146: GridTime™ 3000 GNSS Time Server DOM XSS

Vulnerability Details

Cross-Site Scripting (XSS) Vulnerability in Password Reset Redirect in GridTime™ 3000 GNSS Time Server

Improper neutralization of input during web page generation XSS vulnerability in the GridTime 3000 (password reset form) allows XSS. This issue affects GridTime 3000: from 1.0r0.03 before 1.2r0.0.

Date of Disclosure: 06/10/2026

Affected Product: GridTime 3000 GNSS Time Server

Vulnerability Type: DOM-based XSS vulnerability
CVE Identifier: CVE-2026-12621
CVSS Score: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS 4.0 Score: 5.3 / Medium
Vulnerability Description:
- The GridTime 3000 GNSS Time Server has a XSS vulnerability in the password change form submission
Affected Versions:
- Firmware 1.0r0.03 through 1.1r0.0
Vulnerability Status:
- Resolved in firmware release 1.2r0.0

Risk Assessment

Exploitation of the vulnerability allows an attacker with valid credentials to execute arbitrary scripts in any user context.

Mitigation

Upgrade GridTime 3000 GNSS Time Server to the latest firmware

Patch/Release Information

As of the firmware release 1.2r0.0, parameter sanitization has been improved to not allow execution of arbitrary queries.

Recommendations

It is strongly recommended that all customers upgrade GridTime 3000 GNSS Time Server to firmware version 1.2r0.0 or newer.