Missing Authentication for Critical Function

Overview arelle-release is an An open source XBRL platform. Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the plugins parameter in the /rest/configure endpoint, which is processed without authentication or authorization. An attacker can execu...

catalystcoop-ferc-xbrl-extractor (>=0.6.1 <=0.8.4), catalystcoop-pudl (>=2022.11.30 <=2022.11.30.post1) +1 more potentially affected by CVE-2026-42796 via arelle-release (>=2.10.8 <=2.2.4)

arelle-release PYPI version =2.10.8, =0.6.1, =2022.11.30, =0.6.1, =0.7.0rc1 Source cves: CVE-2026-42796 Source advisory: SNYK:PYTHON-ARELLERELEASE-16635954...

CVE-2026-42796

Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file...

EUVD-2026-27079

Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file...

CVE-2026-42796 Arelle < 2.39.10 Unauthenticated RCE via /rest/configure

Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file...

CVE-2026-42796

CVE-2026-42796 affects Arelle prior to 2.39.10. An unauthenticated remote code execution exists in the /rest/configure REST endpoint, where the plugins parameter is forwarded to the plugin manager without auth. An attacker can supply a URL to a malicious Python file via plugins, causing the Arell...

CVE-2026-42796

Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file...

CVE-2026-42796 Arelle < 2.39.10 Unauthenticated RCE via /rest/configure

Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file...

Arelle 访问控制错误漏洞

Arelle is an open-source XBRL platform developed by Arelle Open Source. It supports data validation and integration. Versions of Arelle prior to 2.39.10 contained a security vulnerability related to access control. This vulnerability stemmed from the /rest/configure REST endpoint accepting plugin...

PT-2026-36887

Name of the Vulnerable Software and Affected Versions Arelle versions prior to 2.39.10 Description An unauthenticated remote code execution issue exists in the '/rest/configure' REST endpoint. The endpoint accepts a plugins query parameter and forwards it to the plugin manager without requiring...