Description
Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitrary code on behalf of a privileged user on the affected server and connected devices.
Published: 2026-05-28
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An insufficient character filtering flaw in the backup agent signing module of WebPros Comet Backup allows an authenticated tenant administrator to execute arbitrary code on the server with privileged user rights, and subsequently on any connected devices. The vulnerability stems from unsanitized input in the signing process, enabling code injection and full system compromise. The impact is total loss of confidentiality, integrity and availability for the affected server and networks it services.

Affected Systems

WebPros Comet Backup software is affected. No specific versions are listed in the advisory, so all deployments that have not applied the vendor’s patch are potentially vulnerable.

Risk and Exploitability

The CVSS score of 9.1 indicates a very high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector requires an authenticated tenant administrator; an attacker in that role can exploit the flaw to run code with privileged user privileges, potentially enabling lateral movement to connected devices.

Generated by OpenCVE AI on May 28, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official security patch released by WebPros for Comet Backup as soon as it becomes available
  • Temporarily restrict tenant administrator privileges and audit configuration changes until the patch is deployed
  • Update or replace the signing module with a version that implements proper input validation
  • Ensure all connected devices and services are also patched or isolated to prevent lateral movement

Generated by OpenCVE AI on May 28, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 05:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Unsanitized Signing Module in Comet Backup Server
First Time appeared Webpros
Webpros comet Backup
Vendors & Products Webpros
Webpros comet Backup

Thu, 28 May 2026 04:45:00 +0000

Type Values Removed Values Added
Description Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitrary code on behalf of a privileged user on the affected server and connected devices.
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Webpros Comet Backup
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-05-28T13:09:20.180Z

Reserved: 2026-03-17T15:00:07.747Z

Link: CVE-2026-32999

cve-icon Vulnrichment

Updated: 2026-05-28T13:09:16.955Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T05:16:36.107

Modified: 2026-05-29T15:39:34.620

Link: CVE-2026-32999

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T05:30:06Z

Weaknesses