Zero Day MonitorZDM

← Back to list

8.4

CVE-2026-4048PATCHED

progress · adc (loadmaster)

OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF

Description

OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process.

Affected Products

Vendor	Product	Versions
progress	adc (loadmaster)	V7.1.20.0, V7.2.49.0, V7.2.62.0, V7.2.62.0

References

https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876(vendor-advisory)

Related News (3 articles)

Tier D

SecurityWeek9d ago

Progress Patches Multiple Vulnerabilities in MOVEit WAF, LoadMaster

→ No new info (linked only)

Tier B

CCCS Canada10d ago

Progress security advisory (AV26-371)

→ No new info (linked only)

Tier C

VulDB10d ago

CVE-2026-4048 | Progress LoadMaster prior 7.2.63.0 UI command injection

→ No new info (linked only)

CVSS 3.18.4 HIGH

VectorCVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

V7.2.63.0

CWECWE-77

PublishedApr 20, 2026

Last enriched9d agov3

Trending Score15

Source articles3

Independent3

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-4670EXP

Improper Authentication vulnerability in Progress MOVEit Automation

CRITICALCVE-2026-5174EXP

Improper Access Control Vulnerability in Progress MOVEit Automation

HIGHCVE-2026-3518

OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF

HIGHCVE-2026-6022EXP

Uncontrolled Resource Consumption Vulnerability in Telerik UI for ASP.NET AJAX

HIGHCVE-2026-3519

OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 20, 2026

Discovered by ZDM

Apr 20, 2026

Updated: severity

Apr 20, 2026

Updated: affectedVersions

Apr 21, 2026

Patch Available

Apr 22, 2026

Version History

v3

Last enriched 9d ago

v3Tier D9d ago

Updated description with new details, added affected versions, and marked exploit availability as true.

affectedVersions

via SecurityWeek

v2Tier C10d ago

Updated severity to CRITICAL and confirmed no exploit is available.

severity

via VulDB

v110d ago

Initial creation