CVE-2026-10795

Name of the Vulnerable Software and Affected Versions UpdraftPlus versions prior to 1.26.5 UpdraftCentral versions prior to 0.8.32

Description An unauthenticated authentication bypass allows remote code execution on sites connected to UpdraftCentral, a remote management dashboard. The issue occurs because failed RSA decryption collapses to a predictable all-zero AES key, which enables the forging of RPC commands. This allows an attacker to execute PHP code, upload malicious plugins, and run remote commands as the connected administrator. Approximately 3 million sites are potentially affected, and the flaw is being exploited in the wild.

Recommendations Update UpdraftPlus to version 1.26.5 or newer. Update UpdraftCentral to version 0.8.32 or later.