CVE-2026-3014
Remote Code Execution by administrative user on the Management Server
CVSS Score
9.1
EPSS Score
0.6%
EPSS Percentile
46th
Milestone has released a new version of XProtect® (and several cumulative patch updates) which fix security vulnerability in Management Server API. The vulnerability causes users with edit permissions to the Management Server to be able to execute arbitrary code in context of the Management Server Service.
| CWE | CWE-78 |
| Vendor | milestone systems |
| Product | xprotect management server |
| Published | Jul 14, 2026 |
| Last Updated | Jul 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for milestone systems xprotect management server
Be the first to know when new critical vulnerabilities affecting milestone systems xprotect management server are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
Milestone Systems / XProtect Management Server
0 ≤ 25.3
References
support.milestonesys.com: https://support.milestonesys.com/article/CVE-2026-3014-potential-remote-code-execution-by-admin-user-on-Management-Server doc.milestonesys.com: https://doc.milestonesys.com/en-US/bundle/sec1504_latest/page/milestone_security_advisory_CVE-2026-3014_potential_remote_code_execution_by_admin_user_on_Management_Server.html
Credits
Icare Zyp3