SB2026042142 - Multiple vulnerabilities in Progress LoadMaster
Published: April 21, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Command injection (CVE-ID: CVE-2026-3517)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary commands.
The vulnerability exists due to command injection in the API addcountry command when processing unsanitized input. A remote user can send crafted input to execute arbitrary commands.
Exploitation requires Geo Administration permissions.
2) Command injection (CVE-ID: CVE-2026-3518)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary commands.
The vulnerability exists due to command injection in the API killsession command when processing unsanitized input. A remote user can send crafted input to execute arbitrary commands.
Exploitation requires All permissions.
3) Command injection (CVE-ID: CVE-2026-3519)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary commands.
The vulnerability exists due to command injection in the API aclcontrol command when processing unsanitized input. A remote user can send crafted input to execute arbitrary commands.
Exploitation requires VS Administration permissions.
4) Command injection (CVE-ID: CVE-2026-4048)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary commands.
The vulnerability exists due to command injection in the UI custom WAF rule file upload process when processing unsanitized input in a custom WAF rule file. A remote user can upload a crafted file to execute arbitrary commands.
Exploitation requires All permissions.
5) Incomplete filtering of multiple instances of special elements (CVE-ID: CVE-2026-21876)
CWE-ID: CWE-794 - Incomplete Filtering of Multiple Instances of Special Elements
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass security rules.
The vulnerability exists due to improper input validation of multiplart requests in rule 922110. When the first rule in a chain iterates over a collection (like MULTIPART_PART_HEADERS), the capture variables (TX:0, TX:1) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. A remote non-authenticated attacker can bypass ModSecurity rule and send malicious requests to the application.
Remediation
Install update from vendor's website.