CVE-2026-1358 - Vulnerability Details

- Airleader Master Unrestricted Upload of File with Dangerous Type

Description

Airleader Master versions 6.381 and prior allow for file uploads without
restriction to multiple webpages running maximum privileges. This could
allow an unauthenticated user to potentially obtain remote code
execution on the server.

Published: 2026-02-12

Score: 9.3 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Airleader Master versions 6.381 and earlier allow users to upload arbitrary files with no restriction on content type to multiple web pages that run at maximum privileges. The lack of validation for the file type and the execution context permits an unauthenticated attacker to deliver a script or binary that is executed on the server, leading to full compromise of confidentiality, integrity and availability. The weakness is classified as CWE-434, an unsafe file upload flaw.

Affected Systems

Airleader GmbH’s Airleader Master application, versions up to and including 6.381, are affected. The fixed version begins with 6.386; all earlier releases carry the vulnerability and should be updated as soon as possible.

Risk and Exploitability

The CVSS base score of 9.3 indicates a critical level of risk. EPSS is reported as less than 1%, suggesting a low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is an unauthenticated user uploading a malicious file through one of the publicly accessible upload endpoints; the server then executes the uploaded file with full privileges, providing the attacker control over the system. While the probability of exploitation is low at present, the high potential impact warrants prompt mitigation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Airleader GmbH

Airleader Master

unaffected

Version	Status	Constraints
`0`	affected	≤ 6.381

No data.

Vendor Product Confidence Versions

Airleader

Airleader Master

—

Version	Status	Scheme	Platform
`[0,6.381]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Airleader recommends that users upgrade Airleader Master to version 6.386 or later. Users of Airleader Master are encouraged to reach out to Airleader via email (info@airleader.us) or submit a web form ( https://airleader.us/contact/ ) for more information and mitigation assistance.

OpenCVE Recommended Actions

Upgrade Airleader Master to version 6.386 or later as recommended by the vendor.
If an upgrade cannot be performed immediately, immediately disable or restrict file upload functionality on all web pages that run with elevated privileges, allowing only safe file types and enforcing strict size limits.
Implement monitoring of upload activity and server logs for anomalous file transfer attempts, and apply contextual input validation to prevent execution of uploaded content.

Generated by OpenCVE AI on April 16, 2026 at 17:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.001.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://airleader.us/contact/
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-043-10.json
https://www.cisa.gov/news-events/ics-advisories/icsa-26-043-10
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-044.txt

History

Tue, 03 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
References		https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-044.txt
Metrics		cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Tue, 17 Feb 2026 18:30:00 +0000

Type	Values Removed	Values Added
References		https://airleader.us/contact/

Fri, 13 Feb 2026 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Airleader Airleader airleader Master
Vendors & Products		Airleader Airleader airleader Master

Fri, 13 Feb 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 12 Feb 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		Airleader Master versions 6.381 and prior allow for file uploads without restriction to multiple webpages running maximum privileges. This could allow an unauthenticated user to potentially obtain remote code execution on the server.
Title		Airleader Master Unrestricted Upload of File with Dangerous Type
Weaknesses		CWE-434
References		https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-043-10.json https://www.cisa.gov/news-events/ics-advisories/icsa-26-043-10
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Airleader Airleader Master

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2026-02-12T21:24:53.070Z

Updated: 2026-03-03T20:23:34.197Z

Reserved: 2026-01-22T20:21:20.996Z

Link: CVE-2026-1358

Vulnrichment

Updated: 2026-02-13T16:27:27.200Z

NVD

Status : Deferred

Published: 2026-02-12T22:16:04.213

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1358

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T17:15:17Z

Weaknesses

CWE-434

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object