CVE-2026-8037 – Progress Software LoadMaster
“An exposed management API should never become an attacker's command line.”
This security update addresses CVE-2026-8037, a critical OS command injection vulnerability affecting Progress Software LoadMaster. The vulnerability exists in the product's API, where insufficient input sanitization in multiple command endpoints allows an unauthenticated attacker to execute arbitrary operating system commands on a vulnerable LoadMaster appliance. The CVSS score is 9.6, which is Critical severity.
The update strengthens input validation and sanitization across the affected API endpoints to prevent command injection and unauthorized remote code execution. A public proof-of-concept has been confirmed for this vulnerability. There is no verified evidence of active real-world exploitation.
Key Details
- Affected Product
- Progress Connection Manager For Objectscale
- Attack Vector
- Adjacent
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- CWE Classification
- CWE-77