CVE-2026-5426
CriticalSummary
In Digital Knowledge KnowledgeDeliver systems prior to February 24, 2026, there is a hard-coded machineKey value in ASP.NET/IIS, allowing adversaries to bypass ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks.
Risk Assessment
Organizations may face serious security threats, including remote code execution, which could lead to data loss or system takeover.
Recommendation
It is recommended to update Digital Knowledge KnowledgeDeliver systems to versions after February 24, 2026, to remove the hard-coded machineKey value and implement additional security mechanisms for ViewState.
Original NVD description (English source)
Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks

