CVE-2026-1358

CRITICAL

Airleader Master <6.381 - RCE

Title source: llm

Description

Airleader Master versions 6.381 and prior allow for file uploads without restriction to multiple webpages running maximum privileges. This could allow an unauthenticated user to potentially obtain remote code execution on the server.

References (4)

[Various Sources] https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-044.txt

[Third Party Advisory, US Government Resource] https://www.cisa.gov/news-events/ics-advisories/icsa-26-043-10

[Various Sources] https://airleader.us/contact/

[Various Sources] https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-043-10.json

View Writeup ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0010

EPSS Percentile 27.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

Airleader GmbH/Airleader Master < 6.381

Published Feb 12, 2026

Tracked Since Feb 18, 2026