CVE-2026-42796
Unauthenticated Remote Code Execution in Arelle
Publication date: 2026-05-04
Last updated on: 2026-05-04
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arelle | arelle | to 2.39.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Arelle versions before 2.39.10 and involves the /rest/configure REST endpoint. The endpoint accepts a plugins query parameter and forwards it to the plugin manager without requiring any authentication or authorization.
An attacker can exploit this by supplying a URL to a malicious Python file through the plugins parameter. The Arelle webserver will then download and execute this attacker-controlled code within the Arelle process, running with the same privileges as the server.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to remotely execute arbitrary code on the server running Arelle. This can lead to full compromise of the affected system, including unauthorized access, data theft, data manipulation, or disruption of services.