CVE-2026-1358

Published: Feb 12, 2026Modified: Mar 3, 2026

9.3

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: ics-cert@hq.dhs.gov (Secondary)

Description

Airleader Master versions 6.381 and prior allow for file uploads without restriction to multiple webpages running maximum privileges. This could allow an unauthenticated user to potentially obtain remote code execution on the server.

Related CWEs

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

https://airleader.us/contact/

Source: ics-cert@hq.dhs.gov

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-043-10.json

Source: ics-cert@hq.dhs.gov

https://www.cisa.gov/news-events/ics-advisories/icsa-26-043-10

Source: ics-cert@hq.dhs.gov

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-044.txt

Source: ics-cert@hq.dhs.gov

Timeline

No history available yet.