CVE-2026-42796

Arelle < 2.39.10 Unauthenticated RCE via /rest/configure

CVSS 9.2 CRITICALEPSS 0.7%CWE-306

Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file through the plugins parameter, causing the Arelle webserver to download and execute the attacker-controlled code within the Arelle process with its privileges.

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Produtos afetados

Arelle · Arelle

PoCs públicas encontradas — 1

githubgithub.com/ameerhamza-malik/CVE-2026-42796★ 0

⚠ Recursos públicos, para você avaliar a exposição de sistemas que controla ou está autorizado a testar. Teste apenas com autorização.

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/Arelle/Arelle/pull/2320 https://github.com/Arelle/Arelle/releases/tag/2.39.10 https://www.vulncheck.com/advisories/arelle-unauthenticated-rce-via-rest-configure