CVE-2026-1358
published 2026-02-12CVE-2026-1358: Airleader Master versions 6.381 and prior allow for file uploads without restriction to multiple webpages running maximum privileges. This could allow an…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.21%
64.5th percentile
Airleader Master versions 6.381 and prior allow for file uploads without
restriction to multiple webpages running maximum privileges. This could
allow an unauthenticated user to potentially obtain remote code
execution on the server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| airleader_gmbh | airleader_master | <= 6.381 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability class is Unrestricted Upload of File with Dangerous Type (CWE-434) on multiple webpages of Airleader Master; monitor for unauthenticated file upload requests to the web interface of Airleader Master versions 6.381 and prior ↗
- →No authentication is required to exploit this vulnerability (PR:N, UI:N per CVSS vector); alert on any file upload HTTP requests to Airleader Master web endpoints from unauthenticated sessions ↗
- ·All Airleader Master deployments running version 6.381 or earlier are affected; the web interface runs with maximum privileges, amplifying the impact of a successful file upload exploit ↗
- ·The vulnerability is network-accessible with no authentication required and low attack complexity, making it trivially exploitable from any network-reachable host; isolate Airleader Master behind firewalls and VPNs and ensure it is not internet-facing ↗
- ·Affected sectors include Chemical, Critical Manufacturing, Energy, Food and Agriculture, Healthcare and Public Health, Transportation Systems, and Water and Wastewater — prioritize patching in these environments ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m2gf-58fp-54j4: Airleader Master versions 6
ghsa_unreviewed·2026-02-13
CVE-2026-1358 [CRITICAL] CWE-434 GHSA-m2gf-58fp-54j4: Airleader Master versions 6
Airleader Master versions 6.381 and prior allow for file uploads without
restriction to multiple webpages running maximum privileges. This could
allow an unauthenticated user to potentially obtain remote code
execution on the server.
CISA ICS
Airleader Master
cisa_ics·2026-02-12·CVSS 9.8
CVE-2026-1358 [CRITICAL] Airleader Master
ICS Advisory
##
Airleader Master
Release DateFebruary 12, 2026
Alert CodeICSA-26-043-10
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of this vulnerability could allow an attacker to obtain remote code execution.
The following versions of Airleader Master are affected:
- Airleader Master <=6.381 (CVE-2026-1358)
CVSS
Vendor
Equipment
Vulnerabilities
| v3 9.8
| Airleader GmbH
| Airleader Master
| Unrestricted Upload of File with Dangerous Type
## Background
- Critical Infrastructure Sectors: Chemical, Critical Manufacturing, Energy, Food and Agriculture, Healthcare and Public Health, Transportation Systems, Water and Wastewater
- Countries/Areas Deployed: Worldwide
- Co
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-02-12
Published