📦

loadmaster

Vendor: progress

Login to add this product to WatchStack
Actively Exploited 1 CISA KEV List
PoC / Exploits 1 Code Available
Total RCEs 9 Remote Access
Total CVEs 17 Total Indexed
Avg. EPSS 12.03% Exploit Prob.
Latest CVE CVE-2026-4048 Apr 20

Security Vulnerability Index

Page 1 / 2
8.4 CVSS
CVE-2026-4048
RCE

OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process.

EPSS: 0.03%
8.4 CVSS
CVE-2026-3519
RCE

OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “VS Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'aclcontrol' command

EPSS: 0.04%
8.4 CVSS
CVE-2026-3518
RCE

OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command

EPSS: 0.20%
8.4 CVSS
CVE-2026-3517
RCE

OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “Geo Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'addcountry' command

EPSS: 0.27%
8.4 CVSS
CVE-2025-13447
RCE

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters

EPSS: 0.16%
8.4 CVSS
CVE-2025-13444
RCE

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters

EPSS: 0.05%
8.4 CVSS
CVE-2024-8755
RCE

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection.This issue affects:  Product Affected Versions LoadMaster From 7.2.55.0 to 7.2.60.1 (inclusive)    From 7.2.49.0 to 7.2.54.12 (inclusive)    7.2.48.12 and all prior versions Multi-Tenant Hypervisor 7.1.35.12 and all prior versions ECS All prior versions to 7.2.60.1 (inclusive)

EPSS: 0.82%
7.5 CVSS
CVE-2024-3544

Unauthenticated attackers can perform actions, using SSH private keys, by knowing the IP address and having access to the same network of one of the machines in the HA or Cluster group. This vulnerability has been closed by enhancing LoadMaster partner communications to require a shared secret that must be exchanged between the partners before communication can proceed.

EPSS: 0.24%
6.4 CVSS
CVE-2024-3543

Use of reversible password encryption algorithm allows attackers to decrypt passwords.  Sensitive information can be easily unencrypted by the attacker, stolen credentials can be used for arbitrary actions to corrupt the system.

EPSS: 0.13%
7.5 CVSS
CVE-2024-2449

A cross-site request forgery vulnerability has been identified in LoadMaster.  It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LoadMaster, to direct an authenticated LoadMaster administrator to a third-party site. In such a scenario, the CSRF payload hosted on the malicious site would execute HTTP transactions on behalf of the LoadMaster administrator.

EPSS: 3.32%