Critical severity9.6NVD Advisory· Published Jun 4, 2026· Updated Jun 4, 2026
CVE-2026-8037
CVE-2026-8037
Description
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints
Affected products
1Patches
Vulnerability mechanics
References
1News mentions
9- ⚡ Weekly Recap: Proxy Botnets, Browser Ransomware, AI Agent Tricks, Fake PoC Malware and MoreThe Hacker News · Jul 6, 2026
- 6th July – Threat Intelligence ReportCheck Point Research · Jul 6, 2026
- Progress Kemp LoadMaster Pre-Auth RCE Flaw Faces Active Exploitation AttemptsThe Hacker News · Jul 1, 2026
- Critical Progress Kemp LoadMaster Vulnerability Enables Pre-Auth Remote Code ExecutionCyber Security News · Jun 30, 2026
- Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-AuthThe Hacker News · Jun 30, 2026
- Enterprise Tech In, Shell Out (Progress Kemp LoadMaster Uninitialized Heap to Pre-Auth RCE CVE-2026-8037)watchTowr Labs · Jun 29, 2026
- ZDI-26-341: Progress Software Kemp LoadMaster dolistapikeys Uninitialized Memory Remote Code Execution VulnerabilityZero Day Initiative · Jun 9, 2026
- ZDI-26-340: Progress Software Kemp LoadMaster dodelapikey Uninitialized Memory Remote Code Execution VulnerabilityZero Day Initiative · Jun 9, 2026
- ZDI-26-342: Progress Software Kemp LoadMaster apiuser Uninitialized Memory Remote Code Execution VulnerabilityZero Day Initiative · Jun 9, 2026