CVE-2026-32999

CRITICAL

Webpros Comet Backup - Improper Control of Generation of Code ('Code Injection')

Title source: rule

Description

Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitrary code on behalf of a privileged user on the affected server and connected devices.

References (1)

Core 1

Core References

https://support.cometbackup.com/hc/en-us/articles/40655100268439--CVE-2026-32999-RCE-on-Comet-Server-via-branding-configuration

Scores

CVSS v3 9.0

EPSS 0.0028

EPSS Percentile 19.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (2)

WebPros/Comet Backup < 26.4.3

WebPros/Comet Backup < 26.5.0

Published May 28, 2026

Tracked Since May 28, 2026