CVE Catalog

CVE-2026-42796

Critical
Published: Translated: NVD NIST

Summary

Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter. Attackers can supply a URL to a malicious Python file, leading to the download and execution of attacker-controlled code.

Risk Assessment

This vulnerability allows attackers to execute arbitrary code within the Arelle process, potentially leading to severe security breaches and data loss.

Recommendation

It is recommended to update Arelle to version 2.39.10 or later to mitigate this vulnerability. Additionally, access to the /rest/configure endpoint should be restricted.

Original NVD description (English source)

Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file through the plugins parameter, causing the Arelle webserver to download and execute the attacker-controlled code within the Arelle process with its privileges.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS