Remote Code Execution Vulnerability in Comet Backup Server
CVE-2026-32999

9.1CRITICAL

Key Information:

Vendor: Webpros
Status: Comet Backup
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-32999?

A flaw in the backup agent signing module of Comet Backup Server allows an authenticated tenant administrator to execute arbitrary code. This issue arises from insufficient character filtering, which could enable attackers to perform unauthorized actions on behalf of a privileged user, affecting both the server and connected devices.

Affected Version(s)

Comet Backup 0 < 26.4.3

Comet Backup 0 < 26.5.0

References

https://support.cometbackup.com/hc/en-us/articles/4065510...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-32999 Data

JSON

Webpros

What is CVE-2026-32999?

Affected Version(s)

References

CVSS V3.1

Timeline