CVE-2026-42796
CriticalSummary
Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter. Attackers can supply a URL to a malicious Python file, leading to the download and execution of attacker-controlled code.
Risk Assessment
This vulnerability allows attackers to execute arbitrary code within the Arelle process, potentially leading to severe security breaches and data loss.
Recommendation
It is recommended to update Arelle to version 2.39.10 or later to mitigate this vulnerability. Additionally, access to the /rest/configure endpoint should be restricted.
Original NVD description (English source)
Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file through the plugins parameter, causing the Arelle webserver to download and execute the attacker-controlled code within the Arelle process with its privileges.

