High severity8.4NVD Advisory· Published Apr 20, 2026· Updated May 1, 2026
CVE-2026-3519
CVE-2026-3519
Description
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “VS Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'aclcontrol' command
Affected products
6- cpe:2.3:a:progress:connection_manager_for_objectscale:*:*:*:*:*:*:*:*Range: <7.2.63.1
- cpe:2.3:a:progress:ecs_connection_manager:*:*:*:*:*:*:*:*Range: <7.2.63.1
cpe:2.3:a:progress:loadmaster:*:*:*:*:ga:*:*:*+ 2 more
- cpe:2.3:a:progress:loadmaster:*:*:*:*:ga:*:*:*range: <7.2.63.1
- cpe:2.3:a:progress:loadmaster:*:*:*:*:ltsf:*:*:*range: <7.2.54.17
- (no CPE)
Patches
Vulnerability mechanics
References
1News mentions
1- ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking & MoreThe Hacker News · Apr 27, 2026