Description

Catalyst is a platform built for enterprise game server hosts, game communities, and billing panel integrations. Install scripts defined in server templates execute directly on the host operating system as root via bash -c, with no sandboxing or containerization. Any user with template.create or template.update permission can define arbitrary shell commands that achieve full root-level remote code execution on every node machine in the cluster. This vulnerability is fixed in commit 11980aaf3f46315b02777f325ba02c56b110165d.

INFO

Published Date :

2026-02-10T18:58:02.732Z

Last Modified :

2026-02-10T19:10:21.719Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-26009 vulnerability.

Vendors Products
Karutoil
  • Catalyst
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-26009.

URL Resource
https://github.com/karutoil/catalyst/commit/11980aaf3f46315b02777f325ba02c56b110165d cve-icon cve-icon
https://github.com/karutoil/catalyst/security/advisories/GHSA-xv5r-cpcw-8wr3 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact