cbcvebase.
CVE-2026-1358
published 2026-02-12

CVE-2026-1358: Airleader Master versions 6.381 and prior allow for file uploads without restriction to multiple webpages running maximum privileges. This could allow an…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.21%
64.5th percentile
Airleader Master versions 6.381 and prior allow for file uploads without restriction to multiple webpages running maximum privileges. This could allow an unauthenticated user to potentially obtain remote code execution on the server.

Affected

1 ranges
VendorProductVersion rangeFixed in
airleader_gmbhairleader_master<= 6.381

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability class is Unrestricted Upload of File with Dangerous Type (CWE-434) on multiple webpages of Airleader Master; monitor for unauthenticated file upload requests to the web interface of Airleader Master versions 6.381 and prior
  • No authentication is required to exploit this vulnerability (PR:N, UI:N per CVSS vector); alert on any file upload HTTP requests to Airleader Master web endpoints from unauthenticated sessions
  • ·All Airleader Master deployments running version 6.381 or earlier are affected; the web interface runs with maximum privileges, amplifying the impact of a successful file upload exploit
  • ·The vulnerability is network-accessible with no authentication required and low attack complexity, making it trivially exploitable from any network-reachable host; isolate Airleader Master behind firewalls and VPNs and ensure it is not internet-facing
  • ·Affected sectors include Chemical, Critical Manufacturing, Energy, Food and Agriculture, Healthcare and Public Health, Transportation Systems, and Water and Wastewater — prioritize patching in these environments

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.