CVE-2026-9645
Published: 28 May 2026
Summary
CVE-2026-9645 is a critical-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 9.9 (Critical).
Operationally, ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Deeper analysisAI
Automated synthesis unavailable for this CVE.
Vulnerability
Exposed methods allow authenticated users to create and execute arbitrary JavaScript code on the server. The scripts execute with full access, enabling complete system compromise as commands are executed as root.
- CWE(s)
- OWASP Top 10 Web 2025
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-33028
Regulatory context (EU CRA / NIS2 / DORA / UK NIS Regulations)
EU Cyber Resilience Act — coordinated disclosure
Critical and high-severity vulnerabilities in products with digital elements may trigger coordinated-disclosure obligations under the EU Cyber Resilience Act (CRA, Regulation 2024/2847). Manufacturers placing products on the EU market must notify ENISA and the relevant CSIRTs without undue delay once active exploitation is known.
Threat picture
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Defense & controls
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.