CVE-2026-3519

Name of the Vulnerable Software and Affected Versions Progress ADC Products (affected versions not specified)

Description Two separate issues allow authenticated attackers to execute arbitrary commands on the LoadMaster appliance. The first involves OS command injection via the 'aclcontrol' command in the API, requiring "VS Administration" permissions. The second occurs in the UI during the file upload process for custom WAF (Web Application Firewall) rule files, requiring "All" permissions, due to unsanitized input.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.