Skip to main content

Comet Backup CVE-2026-32999

| EUVDEUVD-2026-32715 CRITICAL
Code Injection (CWE-94)
2026-05-28 hackerone GHSA-x8w2-9wjv-3hv6
9.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.0 CRITICAL
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Patch available
May 28, 2026 - 06:01 EUVD
Analysis Updated
May 28, 2026 - 05:28 vuln.today
v3 (cvss_changed)
Analysis Updated
May 28, 2026 - 05:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 28, 2026 - 05:22 vuln.today
cvss_changed
CVSS changed
May 28, 2026 - 05:22 NVD
9.1 (CRITICAL) 9.0 (CRITICAL)
Analysis Generated
May 28, 2026 - 05:02 vuln.today

DescriptionCVE.org

Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitrary code on behalf of a privileged user on the affected server and connected devices.

AnalysisAI

Remote code execution in Comet Backup server allows a tenant administrator to inject arbitrary code into the backup agent signing module via insufficient character filtering, ultimately running code with elevated privileges on the Comet server and on connected backup agent devices. The vendor advisory links the issue to the branding configuration path, and no public exploit has been identified at time of analysis. Combined with a Scope:Changed CVSS:3.1 score of 9.0, successful exploitation pivots from a single tenant context into the underlying server and downstream endpoints.

Technical ContextAI

Comet Backup is a multi-tenant backup platform (cpe:2.3:a:webpros:comet_backup) where the central server distributes signed agents to client devices. The root cause class is CWE-94 (Improper Control of Generation of Code), here manifesting as insufficient character sanitization in the module that signs/builds backup agents - tenant-supplied branding values appear to flow unfiltered into a code or template context used during agent generation. Because signed agents are trusted and pushed to connected endpoints, injection at this layer breaks the trust boundary between a tenant and the server, which is reflected in the CVSS Scope:Changed (S:C) designation.

RemediationAI

Patch available per vendor advisory - upgrade the Comet server to the fixed build listed at https://support.cometbackup.com/hc/en-us/articles/40655100268439--CVE-2026-32999-RCE-on-Comet-Server-via-branding-configuration; the exact fixed version is not independently confirmed from the provided data and should be taken from that advisory. Until patched, restrict who can log in as a tenant administrator, audit existing tenant admin accounts for unexpected users, and avoid delegating tenant-admin rights to untrusted resellers or customers, recognizing that this limits the legitimate self-service branding workflow. As a defensive control, review and constrain the branding configuration values currently stored for each tenant for unexpected characters or payloads, and rotate any signing keys or credentials that may have been exposed on the server. Place the Comet server's management interface behind VPN/SSO and IP allowlisting to reduce the attack surface, accepting that this may break remote tenant self-service.

Share

CVE-2026-32999 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy