CVE-2026-42796

Arelle < 2.39.10 Unauthenticated RCE via /rest/configure

CVSS 9.2 CRITICALEPSS 0.7%CWE-306

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.2EPSS 0.7%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

04 May 2026Published on NVD

08 May 2026Public PoC

Recommendation: Monitor — no exploitation signal at the moment.

Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file through the plugins parameter, causing the Arelle webserver to download and execute the attacker-controlled code within the Arelle process with its privileges.

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

Arelle · Arelle

public PoCs found — 1

githubgithub.com/ameerhamza-malik/CVE-2026-42796★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/Arelle/Arelle/pull/2320 https://github.com/Arelle/Arelle/releases/tag/2.39.10 https://www.vulncheck.com/advisories/arelle-unauthenticated-rce-via-rest-configure