CVE-2026-42603

OWASP · BLT

OWASP BLT is vulnerable to code injection and eval injection, allowing unauthenticated attackers to execute arbitrary code.

Executive summary

A critical code injection vulnerability in OWASP BLT versions prior to 2.1.2 poses a severe risk of complete system compromise via remote code execution.

Vulnerability

This vulnerability involves Improper Control of Generation of Code (CWE-94) and Improper Neutralization of Directives in Dynamically Evaluated Code (CWE-95). The attack vector is network-based and does not require authentication (AV:N/AC:L/PR:N).

Business impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the underlying server, leading to a complete loss of confidentiality, integrity, and availability. With a CVSS score of 8.8, this flaw represents a High severity risk that could result in full system takeover, data exfiltration, and disruption of critical QA and vulnerability disclosure workflows.

Remediation

Immediate Action: Upgrade to OWASP BLT version 2.1.2 or later immediately to patch the injection vulnerabilities.

Proactive Monitoring: Monitor server logs for suspicious system-level command execution or unusual outbound network traffic originating from the web application server.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common code injection patterns and suspicious payloads in HTTP requests.

Exploitation status

Public Exploit Available: No (Exploit_available: unknown)

Analyst recommendation

Given the severity of the code injection flaw and the existence of a proof-of-concept, administrators should prioritize this update. Immediate patching is the only effective way to eliminate the risk of remote code execution.