CVE-2026-4048 OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF

🗓️ 20 Apr 2026 13:36:49Reported by ProgressSoftwareType

CVE-2026-4048: Authenticated user with all permissions can execute commands via unsanitized WAF rule during upload on Progress LoadMaster.

Reporter	Title	Published	Views	Family All 16
ATTACKERKB	CVE-2026-4048	20 Apr 202613:36	–	attackerkb
ATTACKERKB	CVE-2026-3518	20 Apr 202613:29	–	attackerkb
ATTACKERKB	CVE-2026-3519	20 Apr 202613:32	–	attackerkb
ATTACKERKB	CVE-2026-3517	20 Apr 202613:22	–	attackerkb
Circl	CVE-2026-4048	20 Apr 202611:13	–	circl
CNNVD	Progress LoadMaster 安全漏洞	20 Apr 202600:00	–	cnnvd
CVE	CVE-2026-4048	20 Apr 202613:36	–	cve
EUVD	EUVD-2026-23856	20 Apr 202615:31	–	euvd
EUVD	EUVD-2026-23857	20 Apr 202615:31	–	euvd
EUVD	EUVD-2026-23858	20 Apr 202615:31	–	euvd

[
  {
    "vendor": "Progress Software",
    "product": "LoadMaster",
    "versions": [
      {
        "status": "affected",
        "version": "V7.1.20.0",
        "lessThan": "V7.2.63.0",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "Progress Software",
    "product": "ECS Connections Manager",
    "versions": [
      {
        "status": "affected",
        "version": "V7.2.49.0",
        "lessThan": "V7.2.63.0",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "Progress Software",
    "product": "Object Scale Connection Manager",
    "versions": [
      {
        "status": "affected",
        "version": "V7.2.62.0",
        "lessThan": "V7.2.63.0",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "Progress Software",
    "product": "MOVEit WAF",
    "versions": [
      {
        "status": "affected",
        "version": "V7.2.62.0",
        "lessThan": "V7.2.63.0",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
community	www.community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876

20 Apr 2026 13:36Current

CVSS 3.18.4

EPSS0.00031

CWE-77