CVE-2026-3518
Published: 20 April 2026
Summary
CVE-2026-3518 is a high-severity Command Injection (CWE-77) vulnerability in Progress Loadmaster. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents OS command injection by requiring validation and sanitization of unsanitized inputs to the vulnerable 'killsession' API endpoint.
SI-2 ensures timely flaw remediation through patching the specific command injection vulnerability as detailed in the vendor advisory.
AC-6 limits privileges to prevent attackers from obtaining the 'All' permissions required to access and exploit the vulnerable API.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in the LoadMaster API directly enables exploitation of a public-facing application (T1190) for remote code execution via Unix shell commands (T1059.004).
NVD Description
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command
Deeper analysisAI
CVE-2026-3518 is an OS Command Injection vulnerability that enables Remote Code Execution in the API of Progress ADC Products. It specifically affects the LoadMaster appliance, where unsanitized input in the 'killsession' command allows exploitation. Mapped to CWE-77, the issue carries a CVSS v3.1 base score of 8.4 (AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and was published on 2026-04-20T14:16:19.517.
An authenticated attacker with “All” permissions can exploit this vulnerability from an adjacent network (AV:A) with low attack complexity (AC:L) and no user interaction required. By injecting arbitrary OS commands through the vulnerable 'killsession' API endpoint, the attacker achieves remote code execution on the LoadMaster appliance, resulting in high impacts to confidentiality, integrity, and availability, amplified by the changed scope (S:C).
Progress has published an advisory covering CVE-2026-3518 along with related vulnerabilities (CVE-2026-3517, CVE-2026-3519, CVE-2026-4048, CVE-2026-21876) at https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876, which security practitioners should consult for mitigation and patching guidance.
Details
- CWE(s)