VYPR
Unrated severityNVD Advisory· Published Feb 13, 2026· Updated Feb 18, 2026

Calero VeraSMART < 2022 R1 Static IIS Machine Keys Enable ViewState RCE

CVE-2026-26335

Description

Calero VeraSMART versions prior to 2022 R1 use static ASP.NET/IIS machineKey values configured for the VeraSMART web application and stored in C:\\Program Files (x86)\\Veramark\\VeraSMART\\WebRoot\\web.config. An attacker who obtains these keys can craft a valid ASP.NET ViewState payload that passes integrity validation and is accepted by the application, resulting in server-side deserialization and remote code execution in the context of the IIS application.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Calero/VeraSMARTllm-fuzzy2 versions
    <= 2021 R4+ 1 more
    • (no CPE)range: <= 2021 R4
    • (no CPE)range: 0

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.