CVE-2026-2630
Received Received - Intake

Command Injection in Tenable Security Center Enables Remote Code Execution

Vulnerability report for CVE-2026-2630, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-17

Last updated on: 2026-02-17

Assigner: Tenable Network Security, Inc.

Description

A Command Injection vulnerability exists where an authenticated, remote attacker could execute arbitrary code on the underlying server where Tenable Security Center is hosted.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-17
Last Modified
2026-02-17
Generated
2026-07-06
AI Q&A
2026-02-17
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
tenable security_center 6.5.1
tenable security_center 6.6.0
tenable security_center 6.7.2
apache http_server 2.4.66
php php 8.2.30
curl libcurl 8.18.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-2630 is a Command Injection vulnerability in Tenable Security Center that allows an authenticated remote attacker to execute arbitrary code on the underlying server hosting the application.

This vulnerability arises from improper neutralization of special elements used in operating system commands (classified as CWE-78), enabling attackers to inject and run malicious commands remotely.

Impact Analysis

An attacker exploiting this vulnerability can execute arbitrary code on the server, potentially leading to full compromise of the system.

  • Loss of confidentiality, as sensitive data on the server could be accessed.
  • Loss of integrity, since the attacker can modify data or system configurations.
  • Loss of availability, as the attacker could disrupt services or cause denial of service.
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the CVE-2026-2630 Command Injection vulnerability in Tenable Security Center, you should immediately apply the security patches released by Tenable.

  • Apply patch SC-202602.2 which specifically addresses the critical Command Injection vulnerability.
  • Also apply patch SC-202602.1 to upgrade Apache to version 2.4.66, PHP to version 8.2.30, and libcurl to version 8.18.0, mitigating related vulnerabilities.

These patches are available from the Tenable Downloads Portal and should be applied promptly to reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2630. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart