Description
A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user.
Published: 2026-03-12
Score: 9.9 Critical
EPSS: 1.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Veeam:Backup and Replication’s Backup Viewer enables an attacker to execute arbitrary code with the privileges of the postgres user. This allows the attacker to gain control over the PostgreSQL database service, potentially compromising database integrity, confidentiality, and availability.

Affected Systems

The vulnerability impacts any deployment of Veeam:Backup and Replication that includes the Backup Viewer component. Specific product versions are not disclosed, so all installations that use this feature remain potentially exposed until a fix is applied.

Risk and Exploitability

The CVSS score of 9.9 indicates a critical severity. The EPSS score of < 1% shows a low likelihood of current exploitation. Though not listed in the CISA KEV catalog, the high‑impact potential demands urgent attention. The most likely exploitation path is through remote access to the Backup Viewer interface, where an attacker can supply crafted input to trigger code execution as the postgres user. Once executed, the attacker could gain further access or persist within the system.

Generated by OpenCVE AI on May 10, 2026 at 15:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor updates as described in the official KB articles at https://www.veeam.com/kb4830 and https://www.veeam.com/kb4831; this patch addresses the RCE by fixing input validation, SQL construction, and dynamic code execution weaknesses identified as CWE‑89.
  • Add input sanitization to all parameters accepted by the Backup Viewer interface to mitigate input issues.
  • Refactor any database interactions to use parameterized queries or safe escaping to prevent SQL injection (CWE‑89).
  • Remove or secure any code generation or `exec`/`eval` functionality within Backup Viewer that could enable dynamic code execution.

Generated by OpenCVE AI on May 10, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Backup Viewer in Veeam:Backup and Replication

Sun, 10 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L'}

Sat, 18 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Backup Viewer in Veeam:Backup and Replication

Sat, 18 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Veeam Backup Viewer RCE via Postgres User
Weaknesses CWE-20
CWE-94

Fri, 17 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Fri, 17 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Veeam Backup Viewer RCE via Postgres User
Weaknesses CWE-20
CWE-94

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Veeam Backup Viewer as Postgres User
Weaknesses CWE-94

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Veeam Backup Viewer as Postgres User
Weaknesses CWE-94

Thu, 26 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Veeam Backup Viewer as Postgres User
Weaknesses CWE-269
CWE-94

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Veeam Backup Viewer as Postgres User
Weaknesses CWE-269
CWE-94

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Backup Viewer in Veeam Backup and Recovery
Weaknesses CWE-94

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Backup Viewer in Veeam Backup and Recovery
Weaknesses CWE-94

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Backup Viewer in Veeam Backup & Recovery
Weaknesses CWE-78

Mon, 23 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Backup Viewer in Veeam Backup & Recovery
Weaknesses CWE-78

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Backup Viewer in Veeam Backup & Recovery
Weaknesses CWE-20
CWE-269

Fri, 20 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Backup Viewer in Veeam Backup & Recovery
Weaknesses CWE-20
CWE-269

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Veeam
Veeam backup And Recovery
Vendors & Products Veeam
Veeam backup And Recovery

Thu, 12 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user.
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Veeam Backup And Recovery
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-05-10T12:51:15.514Z

Reserved: 2026-01-04T15:00:06.573Z

Link: CVE-2026-21708

cve-icon Vulnrichment

Updated: 2026-03-12T17:28:02.623Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T17:16:36.683

Modified: 2026-05-10T13:16:35.747

Link: CVE-2026-21708

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T15:30:14Z

Weaknesses