Cyber Resilience

CVE-2026-26009

CriticalRCE

Published: 10 February 2026

Published
10 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0048 37.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-26009 is a critical-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-26009 is an OS command injection vulnerability (CWE-78) in the Catalyst platform, which is designed for enterprise game server hosts, game communities, and billing panel integrations. The issue stems from install scripts defined in server templates that execute directly on the host operating system as root via bash -c, without any sandboxing or containerization. This allows arbitrary commands to be injected and run with root privileges. The vulnerability has a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and was published on 2026-02-10.

An attacker with template.create or template.update permissions can exploit this vulnerability by defining malicious shell commands in a server template. This leads to full root-level remote code execution on every node machine in the Catalyst cluster, enabling complete compromise of the host systems over the network with low complexity and no user interaction required.

The vulnerability is addressed in Catalyst commit 11980aaf3f46315b02777f325ba02c56b110165d, as detailed in the project's GitHub security advisory (GHSA-xv5r-cpcw-8wr3). Security practitioners should update to this commit or later to mitigate the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Catalyst is a platform built for enterprise game server hosts, game communities, and billing panel integrations. Install scripts defined in server templates execute directly on the host operating system as root via bash -c, with no sandboxing or containerization. Any…

more

user with template.create or template.update permission can define arbitrary shell commands that achieve full root-level remote code execution on every node machine in the cluster. This vulnerability is fixed in commit 11980aaf3f46315b02777f325ba02c56b110165d.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

CVE enables remote exploitation of a public-facing application via OS command injection in server templates, allowing arbitrary bash command execution as root (T1190, T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25115Shared CWE-78
CVE-2025-24382Shared CWE-78
CVE-2026-29058Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2024-46484Shared CWE-78
CVE-2015-10145Shared CWE-78
CVE-2020-37002Shared CWE-78
CVE-2026-27848Shared CWE-78
CVE-2025-0356Shared CWE-78
CVE-2025-13942Shared CWE-78

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates and sanitizes user-defined install scripts prior to execution to directly prevent OS command injection vulnerabilities like this one.

prevent

Enforces least privilege by ensuring install scripts execute without root privileges, comprehensively limiting the impact of any injected commands.

prevent

Restricts access to template.create and template.update functions to authorized personnel only, reducing the attack surface for injecting malicious scripts.

References