CVE Catalog

CVE-2026-5426

Critical
Published: Translated: NVD NIST

Summary

In Digital Knowledge KnowledgeDeliver systems prior to February 24, 2026, there is a hard-coded machineKey value in ASP.NET/IIS, allowing adversaries to bypass ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks.

Risk Assessment

Organizations may face serious security threats, including remote code execution, which could lead to data loss or system takeover.

Recommendation

It is recommended to update Digital Knowledge KnowledgeDeliver systems to versions after February 24, 2026, to remove the hard-coded machineKey value and implement additional security mechanisms for ViewState.

Original NVD description (English source)

Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks

Vulnerability data from NVD (NIST) · CISA KEV · EPSS