CVE-2026-32999
published 2026-05-28CVE-2026-32999: Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitrary code…
PriorityP260critical9CVSS 3.1
AVNACHPRNUINSCCHIHAH
EPSS
0.31%
23.0th percentile
Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitrary code on behalf of a privileged user on the affected server and connected devices.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| webpros | comet_backup | < 26.4.3 | 26.4.3 |
| webpros | comet_backup | < 26.5.0 | 26.5.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
WebPros Comet Backup up to 26.4.2/26.4.x Backup Agent Signing code injection (EUVD-2026-32715 / CNNVD-202605-6644)
vuldb·2026-05-30·CVSS 9.0
CVE-2026-32999 [CRITICAL] WebPros Comet Backup up to 26.4.2/26.4.x Backup Agent Signing code injection (EUVD-2026-32715 / CNNVD-202605-6644)
A vulnerability identified as critical has been detected in WebPros Comet Backup up to 26.4.2/26.4.x. The impacted element is an unknown function of the component Backup Agent Signing Module. This manipulation causes code injection.
This vulnerability is handled as CVE-2026-32999. The attack can be initiated remotely. There is not any exploit available.
You should upgrade the affected component.
GHSA
GHSA-x8w2-9wjv-3hv6: Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitra
ghsa_unreviewed·2026-05-28
CVE-2026-32999 [CRITICAL] CWE-94 GHSA-x8w2-9wjv-3hv6: Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitra
Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitrary code on behalf of a privileged user on the affected server and connected devices.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-28
Published