Skip to main content

Comet Backup CVE-2026-32999

| EUVD-2026-32715 CRITICAL
Code Injection (CWE-94)
2026-05-28 hackerone GHSA-x8w2-9wjv-3hv6
RCE Code Injection
9.0
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Patch available
May 28, 2026 - 06:01 EUVD
Analysis Updated
May 28, 2026 - 05:28 vuln.today
v3 (cvss_changed)
Analysis Updated
May 28, 2026 - 05:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 28, 2026 - 05:22 vuln.today
cvss_changed
CVSS changed
May 28, 2026 - 05:22 NVD
9.1 (CRITICAL) 9.0 (CRITICAL)
Analysis Generated
May 28, 2026 - 05:02 vuln.today

DescriptionNVD

Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitrary code on behalf of a privileged user on the affected server and connected devices.

AnalysisAI

Remote code execution in Comet Backup server allows a tenant administrator to inject arbitrary code into the backup agent signing module via insufficient character filtering, ultimately running code with elevated privileges on the Comet server and on connected backup agent devices. The vendor advisory links the issue to the branding configuration path, and no public exploit has been identified at time of analysis. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Audit all Comet Backup tenant administrator role assignments and restrict branding configuration access to essential personnel; enable multi-factor authentication for all administrative access to Comet Backup systems. Within 7 days: Implement network segmentation to isolate Comet Backup infrastructure from production systems; configure enhanced audit logging for all branding configuration modifications and administrative actions; establish real-time alerts for suspicious administrator activity. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-32999 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy