CVE-2026-42796

CVE Database · CVE-2026-42796

CVE-2026-42796

· CRITICALAnalyzed

CVSS v3.1

9.8

CVSS v4.0

9.2

EPSS

0.73%

Published

May 4, 2026

Modified

May 27, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file through the plugins parameter, causing the Arelle webserver to download and execute the attacker-controlled code within the Arelle process with its privileges.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-306

Affected Products (1)

workiva · arelle (up to 2.39.10)vulnerable

References (3)

https://github.com/Arelle/Arelle/pull/2320

Issue TrackingPatch

https://github.com/Arelle/Arelle/releases/tag/2.39.10

Release Notes

https://www.vulncheck.com/advisories/arelle-unauthenticated-rce-via-rest-configure

Third Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs