Cyber Resilience

CVE-2026-1358

Critical

Published: 12 February 2026

Published
12 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0121 64.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-1358 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Airleader Master (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and IA-8 (Identification and Authentication (Non-organizational Users)).

Deeper analysis

CVE-2026-1358 is an unrestricted file upload vulnerability (CWE-434) in Airleader Master versions 6.381 and prior. It affects multiple webpages running with maximum privileges, enabling file uploads without restrictions. Published on 2026-02-12, the flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for remote code execution on the affected server.

An unauthenticated attacker with network access can exploit this low-complexity vulnerability without requiring user interaction. Successful exploitation allows the attacker to upload malicious files, potentially achieving remote code execution on the server with high impacts to confidentiality, integrity, and availability.

Mitigation guidance is available in vendor and third-party advisories, including CISA ICSA-26-043-10 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-043-10), SYSS-2025-044 (https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-044.txt), and the CSAF document at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-043-10.json. Security practitioners should review these for patching instructions and workarounds, along with contacting the vendor via https://airleader.us/contact/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Airleader Master versions 6.381 and prior allow for file uploads without restriction to multiple webpages running maximum privileges. This could allow an unauthenticated user to potentially obtain remote code execution on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2026-1358 enables unauthenticated attackers to exploit a public-facing web application via unrestricted file upload, achieving remote code execution, which directly maps to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-12352Shared CWE-434
CVE-2026-1730Shared CWE-434
CVE-2025-13067Shared CWE-434
CVE-2025-54449Shared CWE-434
CVE-2025-1070Shared CWE-434
CVE-2025-12528Shared CWE-434
CVE-2025-67325Shared CWE-434
CVE-2025-65471Shared CWE-434
CVE-2025-59710Shared CWE-434
CVE-2025-34328Shared CWE-434

Affected Assets

Airleader
Master
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates file uploads to restrict malicious files, preventing unrestricted uploads leading to RCE.

prevent

Requires identification and authentication for non-organizational users accessing file upload webpages, blocking unauthenticated exploitation.

prevent

Enforces least privilege on webpages running with maximum privileges, limiting RCE impact from uploaded malicious files.

References