Is there a public PoC exploit available for CVE-2026-5562?

Yes, a public proof-of-concept exploit is available for CVE-2026-5562. Prioritise patching immediately. EPSS: 0.1%.

Kafka Ui CVE-2026-5562

Q: What is the CVSS score of CVE-2026-5562?

CVE-2026-5562 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-19071 MEDIUM

Code Injection (CWE-94)

2026-04-05 VulDB

GHSA-xcqp-9wgc-xxhj

Code Injection RCE Kafka Ui

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:11 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

PoC Detected

Apr 07, 2026 - 13:20 vuln.today

Public exploit code

EUVD ID Assigned

Apr 05, 2026 - 11:15 euvd

EUVD-2026-19071

Analysis Generated

Apr 05, 2026 - 11:15 vuln.today

CVE Published

Apr 05, 2026 - 11:00 nvd

MEDIUM 6.9

DescriptionCVE.org

A vulnerability was identified in provectus kafka-ui up to 0.7.2. This impacts the function validateAccess of the file /api/smartfilters/testexecutions of the component Endpoint. The manipulation leads to code injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Code injection in Provectus kafka-ui up to version 0.7.2 allows unauthenticated remote attackers to execute arbitrary code via the validateAccess function in the /api/smartfilters/testexecutions endpoint. The vulnerability has publicly available exploit code and carries a CVSS 6.9 score reflecting moderate but meaningful real-world risk; the vendor was contacted early but provided no response, suggesting no patch is anticipated.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS 6.9 score reflects a moderate-to-high severity rating with unauthenticated network-accessible attack vector (AV:N/PR:N) and low attack complexity (AC:L), indicating minimal barriers to exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated attacker on the internet discovers a kafka-ui instance running version 0.7.2 or earlier via banner grabbing or service scanning. The attacker crafts a malicious payload containing code injection syntax and sends it to the validateAccess endpoint at /api/smartfilters/testexecutions. …
Remediation	Immediate upgrade to a version newer than 0.7.2 is the primary remediation, though no specific patched version is confirmed from available data; organizations should verify the latest available kafka-ui release from the official Provectus repository (https://github.com/provectus/kafka-ui) and test before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5562 vulnerability details – vuln.today

Back