CVE-2026-32298 | THREATINT

Description

The Angeet ES3 KVM does not properly sanitize user-supplied variables parsed by the 'cfg.lua' script, allowing an authenticated attacker to execute OS-level commands.

PUBLISHED Reserved 2026-03-11 | Published 2026-03-17 | Updated 2026-03-17 | Assigner cisa-cg

HIGH: 8.5CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H

CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status

unknown

Any version before *

affected

Credits

Reynaldo Vasquez Garcia, Eclypsium

References

eclypsium.com/...to-your-kingdom-are-hanging-on-the-network/ (url)

raw.githubusercontent.com/...IT/white/2025/va-26-076-01.json (url)

www.cve.org/CVERecord?id=CVE-2026-32291 (url)

cve.org (CVE-2026-32298)

nvd.nist.gov (CVE-2026-32298)

Download JSON