CVE-2026-42796

Arelle < 2.39.10 Unauthenticated RCE via /rest/configure

CVSS 9.2 CRITICALEPSS 0.7%CWE-306

Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file through the plugins parameter, causing the Arelle webserver to download and execute the attacker-controlled code within the Arelle process with its privileges.

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

Arelle · Arelle

public PoCs found — 1

githubgithub.com/ameerhamza-malik/CVE-2026-42796★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/Arelle/Arelle/pull/2320 https://github.com/Arelle/Arelle/releases/tag/2.39.10 https://www.vulncheck.com/advisories/arelle-unauthenticated-rce-via-rest-configure