CVE-2026-8037

Awaiting Analysis

Published: 04 Jun 2026, 13:13

Last modified:04 Jun 2026, 13:13

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.6 CRITICAL

v3.1 (cve.org)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

04 Jun 2026, 13:13

Published

Vulnerability first disclosed

Description

OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints

CVSS Metrics

v3.1•CRITICAL•Score: 9.6CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Techniques & Countermeasures

CWE-77•Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Affected Systems

progress software•ecs connections manager
≥ V7.2.60.0, < V7.2.63.2
progress software•loadmaster
≥ V7.2.60.0, < V7.2.63.2 | ≥ V7.2.45.12, < V7.2.54.18
progress software•moveit waf
≥ V7.2.60.0, < V7.2.63.2
progress software•object scale connection manager
≥ V7.2.60.0, < V7.2.63.2

References (1)

https://community.progress.com/s/article/LoadMaster-Critical-Security-Bulletin-June-2026-CVE-2026-8037-CVE-2026-33691