Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-8037
PUBLISHED
More InfoOfficial Page
Assigner-ProgressSoftware
Assigner Org ID-f9fea0b6-671e-4eea-8fde-31911902ae05
View Known Exploited Vulnerability (KEV) details
Published At-04 Jun, 2026 | 13:13
Updated At-04 Jun, 2026 | 13:13
Rejected At-
▼CVE Numbering Authority (CNA)
OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF

OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints

Affected Products
Vendor
Progress Software CorporationProgress Software
Product
LoadMaster
Default Status
unaffected
Versions
Affected
  • From V7.2.60.0 before V7.2.63.2 (custom)
  • From V7.2.45.12 before V7.2.54.18 (custom)
Vendor
Progress Software CorporationProgress Software
Product
ECS Connections Manager
Default Status
unaffected
Versions
Affected
  • From V7.2.60.0 before V7.2.63.2 (custom)
Vendor
Progress Software CorporationProgress Software
Product
Object Scale Connection Manager
Default Status
unaffected
Versions
Affected
  • From V7.2.60.0 before V7.2.63.2 (custom)
Vendor
Progress Software CorporationProgress Software
Product
MOVEit WAF
Default Status
unaffected
Versions
Affected
  • From V7.2.60.0 before V7.2.63.2 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-77CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Type: CWE
CWE ID: CWE-77
Description: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Metrics
VersionBase scoreBase severityVector
3.19.6CRITICAL
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 9.6
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
N/AAn unauthenticated remote attacker exploits unsanitized input in the LoadMaster API command endpoints to inject arbitrary OS commands, resulting in full remote code execution on the appliance.
CAPEC ID: N/A
Description: An unauthenticated remote attacker exploits unsanitized input in the LoadMaster API command endpoints to inject arbitrary OS commands, resulting in full remote code execution on the appliance.
Solutions
Configurations
Workarounds

plain text

Exploits
Credits
finder
Jacky Yang and Syed Ibrahim Ahmed of TrendAI Research
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://community.progress.com/s/article/LoadMaster-Critical-Security-Bulletin-June-2026-CVE-2026-8037-CVE-2026-33691
vendor-advisory
Hyperlink: https://community.progress.com/s/article/LoadMaster-Critical-Security-Bulletin-June-2026-CVE-2026-8037-CVE-2026-33691
Resource:
vendor-advisory
Details not found