OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF
CVE-2026-8037

9.6CRITICAL

Key Information:

Vendor: Progress Software
Status: Loadmaster; Ecs Connections Manager; Object Scale Connection Manager; Moveit Waf
Vendor: CVE Published:; 4 June 2026

🔔 Create Progress Software Vulnerability Alert

What is CVE-2026-8037?

OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints

Affected Version(s)

ECS Connections Manager V7.2.60.0

LoadMaster V7.2.60.0

LoadMaster V7.2.45.12

References

https://community.progress.com/s/article/LoadMaster-Criti...

vendor-advisory

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2026
Vulnerability Reserved
May 6, 2026

Credit

Jacky Yang and Syed Ibrahim Ahmed of TrendAI Research

CVE-2026-8037 Data

JSON