CVE-2026-3518

OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF

Description

OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command

INFO

Published Date :

2026-04-20T13:29:33.794Z

Last Modified :

2026-04-22T03:55:52.242Z

Source :

ProgressSoftware

AFFECTED PRODUCTS

The following products are affected by CVE-2026-3518 vulnerability.

Vendors	Products
Progress	Ecs Connection Manager Loadmaster Moveit Waf Object Scale Connection Manager

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-3518.

URL	Resource
https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact