CVE-2026-26335

CRITICAL

Calero VeraSMART <2022 R1 - Remote Code Execution

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-26335. PoCs published by banyamer, XiaomingX, mbanyamer.

AI-analyzed exploit summary This Python script demonstrates a path traversal vulnerability in Repetier-Server <=1.4.10, allowing unauthorized file reads via crafted URLs with encoded traversal sequences. It includes multiple payload variants and configurable depth for bypassing path restrictions.

Description

Calero VeraSMART versions prior to 2022 R1 use static ASP.NET/IIS machineKey values configured for the VeraSMART web application and stored in C:\\Program Files (x86)\\Veramark\\VeraSMART\\WebRoot\\web.config. An attacker who obtains these keys can craft a valid ASP.NET ViewState payload that passes integrity validation and is accepted by the application, resulting in server-side deserialization and remote code execution in the context of the IIS application.

Exploits (3)

exploitdb WORKING POC

by banyamer · pythonwebappsmultiple

https://www.exploit-db.com/exploits/52540

View Code ZIP pw:eip

This Python script demonstrates a path traversal vulnerability in Repetier-Server <=1.4.10, allowing unauthorized file reads via crafted URLs with encoded traversal sequences. It includes multiple payload variants and configurable depth for bypassing path restrictions.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Repetier-Server <=1.4.10

No auth needed

Prerequisites: Network access to Repetier-Server web interface

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed May 05, 2026 Full analysis →

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-26335

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2026-26335, targeting Calero VeraSMART < 2022 R1. The exploit leverages hardcoded ASP.NET MachineKey values to forge a malicious ViewState payload, achieving remote code execution via deserialization.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Calero VeraSMART < 2022 R1

No auth needed

Prerequisites: ysoserial.net · static MachineKey values (validationKey and decryptionKey)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC

by mbanyamer · poc

https://github.com/mbanyamer/CVE-2026-26335-Calero-VeraSMART-RCE

View Code ZIP pw:eip

This is a functional exploit for CVE-2026-26335, targeting Calero VeraSMART < 2022 R1. It leverages hardcoded ASP.NET MachineKey values to forge a malicious ViewState payload using ysoserial.net, achieving remote code execution via deserialization.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Calero VeraSMART < 2022 R1

No auth needed

Prerequisites: ysoserial.net · knowledge of target's MachineKey values · ViewState-enabled endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Various Sources product

https://www.calero.com/

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/calero-verasmart-2022-r1-static-iis-machine-keys-enable-viewstate-rce

Scores

CVSS v3 9.8

EPSS 0.0281

EPSS Percentile 84.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-321

Status published

Products (2)

calero/verasmart 2022.0

calero/verasmart < 2022.0

Published Feb 13, 2026

Tracked Since Feb 18, 2026