CVE-2026-1358

Critical

Published: 12 February 2026

Published

12 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1358 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Airleader Master (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and IA-8 (Identification and Authentication (Non-organizational Users)).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates file uploads to restrict malicious files, preventing unrestricted uploads leading to RCE.

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

Requires identification and authentication for non-organizational users accessing file upload webpages, blocking unauthenticated exploitation.

AC-6 Least Privilege good match

prevent

Enforces least privilege on webpages running with maximum privileges, limiting RCE impact from uploaded malicious files.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-1358 enables unauthenticated attackers to exploit a public-facing web application via unrestricted file upload, achieving remote code execution, which directly maps to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Airleader Master versions 6.381 and prior allow for file uploads without restriction to multiple webpages running maximum privileges. This could allow an unauthenticated user to potentially obtain remote code execution on the server.

Deeper analysisAI

CVE-2026-1358 is an unrestricted file upload vulnerability (CWE-434) in Airleader Master versions 6.381 and prior. It affects multiple webpages running with maximum privileges, enabling file uploads without restrictions. Published on 2026-02-12, the flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for remote code execution on the affected server.

An unauthenticated attacker with network access can exploit this low-complexity vulnerability without requiring user interaction. Successful exploitation allows the attacker to upload malicious files, potentially achieving remote code execution on the server with high impacts to confidentiality, integrity, and availability.

Mitigation guidance is available in vendor and third-party advisories, including CISA ICSA-26-043-10 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-043-10), SYSS-2025-044 (https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-044.txt), and the CSAF document at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-043-10.json. Security practitioners should review these for patching instructions and workarounds, along with contacting the vendor via https://airleader.us/contact/.