Skip to main content

Loadmaster CVE-2026-4048

| EUVDEUVD-2026-23859 HIGH
Command Injection (CWE-77)
2026-04-20 ProgressSoftware GHSA-pwx9-99jm-fx95
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 20, 2026 - 19:07 vuln.today
cvss_changed
Analysis Generated
Apr 20, 2026 - 14:33 vuln.today
EUVD ID Assigned
Apr 20, 2026 - 14:15 euvd
EUVD-2026-23859
Analysis Generated
Apr 20, 2026 - 14:15 vuln.today
CVE Published
Apr 20, 2026 - 13:36 nvd
HIGH 8.4

DescriptionCVE.org

OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process.

AnalysisAI

OS command injection in Progress LoadMaster and related ADC products allows authenticated administrators with 'All' permissions to execute arbitrary commands via malicious WAF rule file uploads. The attacker exploits unsanitized input during the file upload process in the web UI. With CVSS 8.4 and scope change to 'Changed', successful exploitation enables complete system compromise beyond the vulnerable component. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis. EPSS data not available for risk assessment.

Technical ContextAI

This vulnerability affects Progress Software's Application Delivery Controller (ADC) suite, specifically LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF. The flaw is rooted in CWE-77 (Improper Neutralization of Special Elements used in a Command), meaning the application fails to sanitize user-controlled input before passing it to operating system command interpreters. The vulnerable code path exists in the WAF rule file upload functionality within the web management UI. When custom WAF rules are uploaded, the appliance processes the file contents without proper input validation, allowing shell metacharacters or command sequences to be interpreted by the underlying OS. The CVSS vector indicates Adjacent Network attack vector (AV:A), meaning the attacker must be on the same network segment as the management interface, though this is often achievable in enterprise environments through VPN access or internal network positioning.

RemediationAI

Apply security updates per Progress Software advisory at https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876. Exact patched versions are not specified in available data - consult the vendor advisory directly for release numbers and upgrade procedures. If immediate patching is not feasible, implement compensating controls: (1) Restrict access to the LoadMaster management interface to dedicated admin jump hosts or bastion servers on isolated VLANs, reducing the adjacent network attack surface. (2) Implement principle of least privilege by auditing administrator accounts and removing 'All' permissions where not strictly required, granting only specific functional permissions. (3) Enable detailed audit logging for all WAF rule file upload operations and monitor for anomalous file content patterns or unexpected command sequences. (4) If WAF custom rule uploads are not operationally required, disable this functionality through appliance hardening policies. Note that disabling custom WAF rules may impact security posture if legitimate custom rules are in production. (5) Deploy network segmentation to prevent lateral movement from ADC appliances to backend systems, limiting Changed Scope impact even if compromise occurs.

CVE-2024-1212 CRITICAL POC
9.8 Feb 21

Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary s

CVE-2026-8037 CRITICAL POC
9.8 Jun 04

Unauthenticated OS command injection in the API of Progress ADC products - LoadMaster, ECS Connections Manager, Object S

CVE-2024-7591 HIGH POC
7.2 Sep 05

Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: * LoadMas

CVE-2024-8755 CRITICAL
9.8 Oct 11

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection.This

CVE-2024-2448 HIGH
8.8 Mar 22

An OS command injection vulnerability has been identified in LoadMaster. Rated high severity (CVSS 8.8), this vulnerabil

CVE-2026-3519 HIGH
8.4 Apr 20

Command injection in Progress LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF allow

CVE-2026-3518 HIGH
8.4 Apr 20

OS command injection in Progress LoadMaster, MOVEit WAF, ECS Connections Manager, and Object Scale Connection Manager AP

CVE-2026-3517 HIGH
8.4 Apr 20

Command injection in Progress LoadMaster and related ADC products allows authenticated attackers with Geo Administration

CVE-2024-56135 HIGH
8.4 Feb 05

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate

CVE-2024-56131 HIGH
8.4 Feb 05

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate

CVE-2025-13447 HIGH
8.4 Jan 13

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker

CVE-2024-56132 HIGH
8.4 Feb 05

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate

Share

CVE-2026-4048 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy