Critical severity9.9NVD Advisory· Published Feb 10, 2026· Updated Apr 15, 2026
CVE-2026-26009
CVE-2026-26009
Description
Catalyst is a platform built for enterprise game server hosts, game communities, and billing panel integrations. Install scripts defined in server templates execute directly on the host operating system as root via bash -c, with no sandboxing or containerization. Any user with template.create or template.update permission can define arbitrary shell commands that achieve full root-level remote code execution on every node machine in the cluster. This vulnerability is fixed in commit 11980aaf3f46315b02777f325ba02c56b110165d.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
2- TeamPCP Supply Chain Campaign: Update 008 - 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1 Coverage Returns, (Mon, Apr 27th)SANS Internet Storm Center · Apr 27, 2026
- 6th April – Threat Intelligence ReportCheck Point Research · Apr 6, 2026