CVE-2026-5562
Published: 05 April 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2026-5562 is a code injection vulnerability in Provectus Kafka-UI versions up to 0.7.2. It affects the validateAccess function in the /api/smartfilters/testexecutions endpoint, enabling remote code injection as classified under CWE-74 (Injection) and CWE-94 (Code Injection). The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and low complexity.
Attackers can exploit this vulnerability remotely without privileges or user interaction by manipulating the affected endpoint, resulting in code injection that compromises confidentiality, integrity, and availability to a low degree. No authentication is required, making it accessible to unauthenticated remote actors.
Disclosure references, including those from VulDB, indicate that a public exploit is available via a Google Drive link, and the vendor was contacted early but provided no response, with no patches or official mitigations documented as of publication on 2026-04-05.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a remote, unauthenticated code injection in a web application endpoint, directly enabling exploitation of public-facing applications for initial access.