CVE-2026-32298 HIGH

CVE-2026-32298: Angeet ES3 KVM OS command injection

Vendor Angeet

Product ES3 KVM

Weakness CWE-78

Published March 17, 2026

Last update March 17, 2026

View on NVD All CVEs

CVSS base score

8.5/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H

What the vulnerability does

01Description

The Angeet ES3 KVM does not properly sanitize user-supplied variables parsed by the 'cfg.lua' script, allowing an authenticated attacker to execute OS-level commands.

Key dates

02Disclosure timeline

March 17, 2026 CVE published

March 17, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-32298

Related vulnerabilities

04Related CVE

CVE-2026-44590 Sherlock: Command Injection via pull_request_target in validate_modified_targets.yml CVE-2021-1560 Cisco DNA Spaces Connector Command Injection Vulnerabilities CVE-2025-55055 CVE-2026-33414 PowerShell Command Injection in Podman HyperV Machine CVE-2025-4230 PAN-OS: Authenticated Admin Command Injection Vulnerability Through CLI