CVE-2026-4048

HIGH

OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF

Title source: cna

Description

OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process.

References (1)

[Vendor Advisory] https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876

Scores

CVSS v3 8.4

EPSS 0.0008

EPSS Percentile 23.2%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-77

Status published

Products (4)

Progress Software/ECS Connections Manager V7.2.49.0 - V7.2.63.0

Progress Software/LoadMaster V7.1.20.0 - V7.2.63.0

Progress Software/MOVEit WAF V7.2.62.0 - V7.2.63.0

Progress Software/Object Scale Connection Manager V7.2.62.0 - V7.2.63.0

Published Apr 20, 2026

Tracked Since Apr 20, 2026