SB2026060530 - Multiple vulnerabilities in Progress LoadMaster

Security Bulletin ID SB2026060530

CSH Severity

Critical

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 vulnerabilities.

1) Command injection (CVE-ID: CVE-2026-8037)

CWE-ID: CWE-77 - Command injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red

The vulnerability allows a remote attacker to execute arbitrary commands.

The vulnerability exists due to command injection in the API when processing unsanitized input. A remote attacker can send crafted API input to execute arbitrary commands.

2) Improper Handling of Case Sensitivity (CVE-ID: CVE-2026-33691)

CWE-ID: CWE-178 - Improper Handling of Case Sensitivity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper handling of whitespace in file upload extension checks in file upload detection rules 933110, 933111, and 944140 when processing uploaded filenames. A remote attacker can upload a file with a whitespace-padded dangerous extension to execute arbitrary code.

Exploitation is environment-dependent and requires a backend that normalizes or strips whitespace from filenames before executing uploaded files.

Remediation

Install update from vendor's website.

References

https://community.progress.com/s/article/LoadMaster-Critical-Security-Bulletin-June-2026-CVE-2026-8037-CVE-2026-33691?popup=true&overview