CVE-2026-32298

CRITICAL 9.1

Angeet ES3 KVM OS command injection

CVSS Score

9.1

EPSS Score

0.0%

EPSS Percentile

0th

The Angeet ES3 KVM does not properly sanitize user-supplied variables parsed by the 'cfg.lua' script, allowing an authenticated attacker to execute OS-level commands.

CWE	CWE-78
Vendor	angeet
Product	es3 kvm
Published	Mar 17, 2026
Last Updated	Mar 17, 2026

Stay Ahead of the Next One

Get instant alerts for angeet es3 kvm

Be the first to know when new critical vulnerabilities affecting angeet es3 kvm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

ANGEET / ES3 KVM

0 < *

References

NVD ↗ CVE.org ↗ EPSS Data ↗

eclypsium.com: https://eclypsium.com/blog/kvm-devices-the-keys-to-your-kingdom-are-hanging-on-the-network/ raw.githubusercontent.com: https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json cve.org: https://www.cve.org/CVERecord?id=CVE-2026-32291

Credits

Reynaldo Vasquez Garcia, Eclypsium