CVE-2026-1358

Critical

Published: 12 February 2026

Published

12 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Airleader Master versions 6.381 and prior allow for file uploads without restriction to multiple webpages running maximum privileges. This could allow an unauthenticated user to potentially obtain remote code execution on the server.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates file uploads to restrict malicious files, preventing unrestricted uploads leading to RCE.

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

Requires identification and authentication for non-organizational users accessing file upload webpages, blocking unauthenticated exploitation.

AC-6 Least Privilege good match

prevent

Enforces least privilege on webpages running with maximum privileges, limiting RCE impact from uploaded malicious files.

Security SummaryAI

CVE-2026-1358 is an unrestricted file upload vulnerability (CWE-434) in Airleader Master versions 6.381 and prior. It affects multiple webpages running with maximum privileges, enabling file uploads without restrictions. Published on 2026-02-12, the flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for remote code execution on the affected server.

An unauthenticated attacker with network access can exploit this low-complexity vulnerability without requiring user interaction. Successful exploitation allows the attacker to upload malicious files, potentially achieving remote code execution on the server with high impacts to confidentiality, integrity, and availability.

Mitigation guidance is available in vendor and third-party advisories, including CISA ICSA-26-043-10 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-043-10), SYSS-2025-044 (https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-044.txt), and the CSAF document at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-043-10.json. Security practitioners should review these for patching instructions and workarounds, along with contacting the vendor via https://airleader.us/contact/.

Details

CWE(s): CWE-434

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-1358 enables unauthenticated attackers to exploit a public-facing web application via unrestricted file upload, achieving remote code execution, which directly maps to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://airleader.us/contact/
ics-cert@hq.dhs.gov
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-043-10.json
ics-cert@hq.dhs.gov
https://www.cisa.gov/news-events/ics-advisories/icsa-26-043-10
ics-cert@hq.dhs.gov
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-044.txt
ics-cert@hq.dhs.gov