High severity8.4NVD Advisory· Published Apr 20, 2026· Updated May 1, 2026

CVE-2026-4048

Description

OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process.

Affected products

Progress (organisation)/Connection Manager For Objectscale
cpe:2.3:a:progress:connection_manager_for_objectscale:*:*:*:*:*:*:*:*
Range: <7.2.63.1
Progress (organisation)/Ecs Connection Manager
cpe:2.3:a:progress:ecs_connection_manager:*:*:*:*:*:*:*:*
Range: <7.2.63.1
Progress (organisation)/Loadmaster2 versions
cpe:2.3:a:progress:loadmaster:*:*:*:*:ltsf:*:*:*+ 1 more
- cpe:2.3:a:progress:loadmaster:*:*:*:*:ltsf:*:*:*range: <7.2.54.17
- cpe:2.3:a:progress:loadmaster:*:*:*:*:ga:*:*:*range: <7.2.63.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876nvdVendor AdvisoryPatch

News mentions

Microsoft Patches 137 Vulnerabilities
SecurityWeek · May 12, 2026
⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking & More
The Hacker News · Apr 27, 2026

cvss	0.546
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000