CVE-2026-42796
CRITICAL
9.8
Our Analysis: Environment Specific
Our model has classified this vulnerability as relevant to Environment Specific Systems, helping your team prioritize efforts effectively.
Published Date
May 4, 2026
Last Modified
May 4, 2026
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description
Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file through the plugins parameter, causing the Arelle webserver to download and execute the attacker-controlled code within the Arelle process with its privileges.