{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1358", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2026-01-22T20:21:20.996Z", "datePublished": "2026-02-12T21:24:53.070Z", "dateUpdated": "2026-02-12T21:24:53.070Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Airleader Master", "vendor": "Airleader GmbH", "versions": [{"lessThanOrEqual": "6.381", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Angel Lomeli of SySS reported this vulnerability to CISA"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Airleader Master versions 6.381 and prior allow for file uploads without\n restriction to multiple webpages running maximum privileges. This could\n allow an unauthenticated user to potentially obtain remote code \nexecution on the server."}], "value": "Airleader Master versions 6.381 and prior allow for file uploads without\n restriction to multiple webpages running maximum privileges. This could\n allow an unauthenticated user to potentially obtain remote code \nexecution on the server."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-02-12T21:24:53.070Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-043-10"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-043-10.json"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>\nAirleader recommends that users upgrade Airleader Master to version 6.386 or later.</div><div><br></div><div>\nUsers of Airleader Master are encouraged to reach out to Airleader via \nemail or submit a web form for more information and mitigation \nassistance.\n\n<br></div>"}], "value": "Airleader recommends that users upgrade Airleader Master to version 6.386 or later.\n\n\n\n\n\nUsers of Airleader Master are encouraged to reach out to Airleader via \nemail or submit a web form for more information and mitigation \nassistance."}], "source": {"advisory": "ICSA-26-043-10", "discovery": "EXTERNAL"}, "title": "Airleader Master Unrestricted Upload of File with Dangerous Type", "x_generator": {"engine": "Vulnogram 0.5.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Airleader Master versions 6.381 and prior allow for file uploads without\n restriction to multiple webpages running maximum privileges. This could\n allow an unauthenticated user to potentially obtain remote code \nexecution on the server."}], "id": "CVE-2026-1358", "lastModified": "2026-02-12T22:16:04.213", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2026-02-12T22:16:04.213", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-043-10.json"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-043-10"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}

{}