Cyber Resilience

CVE-2026-0759

CriticalRCE

Published: 23 January 2026

Published
23 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0171 74.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-0759 is a critical-severity OS Command Injection (CWE-78) vulnerability in Zerodayinitiative (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 25.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-0759 is a command injection vulnerability in the executeCommand method of the Katana Network Development Starter Kit. The flaw stems from missing validation of user-supplied input before it is used in a system call, enabling remote code execution. It carries a CVSS score of 9.8 and is also identified as ZDI-CAN-27786.

Unauthenticated remote attackers can exploit the issue over the network to run arbitrary code in the context of the service account. No user interaction or credentials are required for successful exploitation.

The referenced Zero Day Initiative advisory ZDI-26-025 addresses the vulnerability.

The EPSS score rose from low levels to a peak of 0.0176 on 2026-05-25 before receding, indicating that exploitation interest emerged after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Katana Network Development Starter Kit executeCommand Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Katana Network Development Starter Kit. Authentication is not required to exploit this vulnerability. The specific…

more

flaw exists within the implementation of the executeCommand method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27786.

CWE(s)

Related Threats

CVEs Like This One

CVE-2018-25115Shared CWE-78
CVE-2025-41276Shared CWE-78
CVE-2026-28463Shared CWE-78
CVE-2024-55590Shared CWE-78
CVE-2026-23678Shared CWE-78
CVE-2025-56089Shared CWE-78
CVE-2025-56087Shared CWE-78
CVE-2025-10230Shared CWE-78
CVE-2026-27635Shared CWE-78
CVE-2026-28470Shared CWE-78

Affected Assets

Zerodayinitiative
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied input before it is used in system calls, blocking the exact command-injection flaw in executeCommand.

prevent

Limits privileges of the service account so that even successful injection yields minimal impact on the affected Katana installation.

prevent

Restricts the set of allowed system commands and functions, reducing the attack surface available to the unauthenticated executeCommand method.

References