CVE-2026-8037 – Progress Software LoadMaster

CVSS 9.6 CRITICAL Critical or Zero Day – Immediate Deployment

“An exposed management API should never become an attacker's command line.”

This security update addresses CVE-2026-8037, a critical OS command injection vulnerability affecting Progress Software LoadMaster. The vulnerability exists in the product's API, where insufficient input sanitization in multiple command endpoints allows an unauthenticated attacker to execute arbitrary operating system commands on a vulnerable LoadMaster appliance. The CVSS score is 9.6, which is Critical severity.

The update strengthens input validation and sanitization across the affected API endpoints to prevent command injection and unauthorized remote code execution. A public proof-of-concept has been confirmed for this vulnerability. There is no verified evidence of active real-world exploitation.

Key Details

Affected Product
Progress Connection Manager For Objectscale
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
CWE Classification
CWE-77
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.