CVE-2026-4048

HIGH

Progress LoadMaster WAF Rule Upload - Authenticated Command Injection RCE

Title source: manual

Description

OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876

Scores

CVSS v3 8.4

EPSS 0.0213

EPSS Percentile 79.5%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-77

Status published

Products (8)

progress/connection_manager_for_objectscale < 7.2.63.1

progress/ecs_connection_manager < 7.2.63.1

progress/loadmaster < 7.2.54.17

progress/loadmaster < 7.2.63.1

Progress Software/ECS Connections Manager V7.2.49.0 - V7.2.63.0

Progress Software/LoadMaster V7.1.20.0 - V7.2.63.0

Progress Software/MOVEit WAF V7.2.62.0 - V7.2.63.0

Progress Software/Object Scale Connection Manager V7.2.62.0 - V7.2.63.0

Published Apr 20, 2026

Tracked Since Apr 20, 2026