CVE-2026-32298

Published: Mar 17, 2026Modified: Apr 27, 2026

8.5

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Show more

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: 9119a7d8-5eab-497f-8521-727c672e3725 (Secondary)

Description

The Angeet ES3 KVM does not properly sanitize user-supplied variables parsed by the 'cfg.lua' script, allowing an authenticated attacker to execute OS-level commands.

Affected (1)

Products: Angeet: Es3 Kvm Firmware

1 product

Es3 Kvm Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Angeet Es3 Kvm Firmware	All versions

Running on/with	Platform Versions
Angeet Es3 Kvm	All versions

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (3)

https://eclypsium.com/blog/kvm-devices-the-keys-to-your-kingdom-are-hanging-on-the-network/

Source: 9119a7d8-5eab-497f-8521-727c672e3725

Third Party Advisory

https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json

Source: 9119a7d8-5eab-497f-8521-727c672e3725

Broken Link

https://www.cve.org/CVERecord?id=CVE-2026-32291

Source: 9119a7d8-5eab-497f-8521-727c672e3725

Not Applicable

Timeline

No history available yet.