High severity8.4NVD Advisory· Published Apr 20, 2026· Updated May 1, 2026
CVE-2026-3518
CVE-2026-3518
Description
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command
Affected products
5- cpe:2.3:a:progress:connection_manager_for_objectscale:*:*:*:*:*:*:*:*Range: <7.2.63.1
- cpe:2.3:a:progress:ecs_connection_manager:*:*:*:*:*:*:*:*Range: <7.2.63.1
cpe:2.3:a:progress:loadmaster:*:*:*:*:ga:*:*:*+ 2 more
- cpe:2.3:a:progress:loadmaster:*:*:*:*:ga:*:*:*range: <7.2.63.1
- cpe:2.3:a:progress:loadmaster:*:*:*:*:ltsf:*:*:*range: <7.2.54.17
- (no CPE)
Patches
Vulnerability mechanics
References
1News mentions
2- ZDI-26-318: Progress Software Kemp LoadMaster ssodomain_killsession Command Injection Remote Code Execution VulnerabilityZero Day Initiative · May 21, 2026
- ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking & MoreThe Hacker News · Apr 27, 2026