CVE-2026-1358

CRITICAL

Airleader Master < 6.381 - Unauthenticated Remote Code Execution via Unrestricted File Upload

Title source: llm

Description

Airleader Master versions 6.381 and prior allow for file uploads without restriction to multiple webpages running maximum privileges. This could allow an unauthenticated user to potentially obtain remote code execution on the server.

References (4)

Core 4

Core References

Various Sources

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-044.txt

Third Party Advisory, US Government Resource

https://www.cisa.gov/news-events/ics-advisories/icsa-26-043-10

Various Sources

https://airleader.us/contact/

Various Sources

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-043-10.json

View Writeup ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0121

EPSS Percentile 64.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

Airleader GmbH/Airleader Master < 6.381

Published Feb 12, 2026

Tracked Since Feb 18, 2026