Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitrary code on behalf of a privileged user on the affected server and connected devices.
AnalysisAI
Remote code execution in Comet Backup server allows a tenant administrator to inject arbitrary code into the backup agent signing module via insufficient character filtering, ultimately running code with elevated privileges on the Comet server and on connected backup agent devices. The vendor advisory links the issue to the branding configuration path, and no public exploit has been identified at time of analysis. Combined with a Scope:Changed CVSS:3.1 score of 9.0, successful exploitation pivots from a single tenant context into the underlying server and downstream endpoints.
Technical ContextAI
Comet Backup is a multi-tenant backup platform (cpe:2.3:a:webpros:comet_backup) where the central server distributes signed agents to client devices. The root cause class is CWE-94 (Improper Control of Generation of Code), here manifesting as insufficient character sanitization in the module that signs/builds backup agents - tenant-supplied branding values appear to flow unfiltered into a code or template context used during agent generation. Because signed agents are trusted and pushed to connected endpoints, injection at this layer breaks the trust boundary between a tenant and the server, which is reflected in the CVSS Scope:Changed (S:C) designation.
RemediationAI
Patch available per vendor advisory - upgrade the Comet server to the fixed build listed at https://support.cometbackup.com/hc/en-us/articles/40655100268439--CVE-2026-32999-RCE-on-Comet-Server-via-branding-configuration; the exact fixed version is not independently confirmed from the provided data and should be taken from that advisory. Until patched, restrict who can log in as a tenant administrator, audit existing tenant admin accounts for unexpected users, and avoid delegating tenant-admin rights to untrusted resellers or customers, recognizing that this limits the legitimate self-service branding workflow. As a defensive control, review and constrain the branding configuration values currently stored for each tenant for unexpected characters or payloads, and rotate any signing keys or credentials that may have been exposed on the server. Place the Comet server's management interface behind VPN/SSO and IP allowlisting to reduce the attack surface, accepting that this may break remote tenant self-service.
More in Comet Backup
View allSame weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32715
GHSA-x8w2-9wjv-3hv6