CVE-2026-4048

OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF

Description

OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process.

INFO

Published Date :

2026-04-20T13:36:49.475Z

Last Modified :

2026-04-22T03:55:54.495Z

Source :

ProgressSoftware

AFFECTED PRODUCTS

The following products are affected by CVE-2026-4048 vulnerability.

Vendors	Products
Progress	Ecs Connection Manager Loadmaster Moveit Waf Object Scale Connection Manager

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-4048.

URL	Resource
https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact