CVE-2026-32999

CRITICAL 9.1

CVSS Score

9.1

EPSS Score

0.0%

EPSS Percentile

15th

Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitrary code on behalf of a privileged user on the affected server and connected devices.

CWE	CWE-94
Vendor	webpros
Product	comet backup
Published	May 28, 2026
Last Updated	May 28, 2026

Stay Ahead of the Next One

Get instant alerts for webpros comet backup

Be the first to know when new critical vulnerabilities affecting webpros comet backup are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

WebPros / Comet Backup

0 < 26.4.3 0 < 26.5.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

support.cometbackup.com: https://support.cometbackup.com/hc/en-us/articles/40655100268439--CVE-2026-32999-RCE-on-Comet-Server-via-branding-configuration