Skip to main content

Aetopia DAM CVE-2026-38450

| EUVDEUVD-2026-44579 CRITICAL
Code Injection (CWE-94)
2026-07-14 cve@mitre.org GHSA-gq83-g5c5-qrrq
9.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network SSTI-to-RCE with total impact, but the Add/Update Project function is normally authenticated, so PR:L rather than the NVD PR:N; low complexity and no user interaction.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jul 15, 2026 - 15:26 vuln.today
CVSS changed
Jul 15, 2026 - 15:22 NVD
9.8 (CRITICAL)
CVE Published
Jul 14, 2026 - 22:16 cve.org
CRITICAL 9.8
CVE Published
Jul 14, 2026 - 22:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

An issue in Aetopia Digital Asset Management DAM v.1.0.0 allows a remote attacker to execute arbitrary code via the name and description parameter of the Add/Update Project function

AnalysisAI

Remote code execution in Aetopia Digital Asset Management (DAM) v1.0.0 is achievable through a server-side template injection flaw: attacker-controlled input in the 'name' and 'description' parameters of the Add/Update Project function is evaluated by the server-side template engine, letting an attacker run arbitrary code on the host. NVD scores this CVSS 9.8 (network, low complexity, no privileges required), and a public researcher writeup detailing the SSTI exists on the eslam3kl GitBook; however, there is no public exploit identified as weaponized code and it is not listed in CISA KEV, so it is not confirmed as actively exploited. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate or reach DAM web interface
Delivery
Open Add/Update Project form
Exploit
Inject template payload in name/description
Execution
Server template engine evaluates input
Persist
Execute arbitrary code on host
Impact
Full system compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires the ability to invoke the Add/Update Project function and supply attacker-controlled values in the 'name' and/or 'description' parameters, which are rendered server-side by a template engine (SSTI). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The raw signals point to high severity: CVSS 9.8 with AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H implies trivial unauthenticated network RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the Aetopia DAM web interface submits a new or updated Project with a template-injection payload embedded in the name or description field. When the server renders the project data through its template engine, the payload is evaluated, executing attacker-supplied commands on the underlying host. …
Remediation No vendor-released patch or fixed version was identified at time of analysis, and no vendor security advisory URL was provided (only the vendor marketing page and a third-party researcher writeup), so a specific upgrade target cannot be cited. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Identify all Aetopia DAM v1.0.0 instances within 24 hours and assess their network accessibility and operational criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-38450 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy