{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-1358","assignerOrgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","state":"PUBLISHED","assignerShortName":"icscert","dateReserved":"2026-01-22T20:21:20.996Z","datePublished":"2026-02-12T21:24:53.070Z","dateUpdated":"2026-03-03T20:23:34.197Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Airleader Master","vendor":"Airleader GmbH","versions":[{"lessThanOrEqual":"6.381","status":"affected","version":"0","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","value":"Angel Lomeli of SySS reported this vulnerability to CISA."}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Airleader Master versions 6.381 and prior allow for file uploads without\n restriction to multiple webpages running maximum privileges. This could\n allow an unauthenticated user to potentially obtain remote code \nexecution on the server."}],"value":"Airleader Master versions 6.381 and prior allow for file uploads without\n restriction to multiple webpages running maximum privileges. This could\n allow an unauthenticated user to potentially obtain remote code \nexecution on the server."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]},{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":9.3,"baseSeverity":"CRITICAL","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-434","description":"CWE-434","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","shortName":"icscert","dateUpdated":"2026-03-03T20:23:34.197Z"},"references":[{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-26-043-10"},{"url":"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-043-10.json"},{"url":"https://airleader.us/contact/"},{"url":"https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-044.txt"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"\nAirleader recommends that users upgrade Airleader Master to version 6.386 or later.
\nUsers of Airleader Master are encouraged to reach out to Airleader via \nemail (info@airleader.us) or submit a web form (
https://airleader.us/contact/) for more information and mitigation \nassistance.\n\n