CVE-2026-42603
OWASP · BLT
OWASP BLT is vulnerable to code injection and eval injection, allowing unauthenticated attackers to execute arbitrary code.
Executive summary
A critical code injection vulnerability in OWASP BLT versions prior to 2.1.2 poses a severe risk of complete system compromise via remote code execution.
Vulnerability
This vulnerability involves Improper Control of Generation of Code (CWE-94) and Improper Neutralization of Directives in Dynamically Evaluated Code (CWE-95). The attack vector is network-based and does not require authentication (AV:N/AC:L/PR:N).
Business impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the underlying server, leading to a complete loss of confidentiality, integrity, and availability. With a CVSS score of 8.8, this flaw represents a High severity risk that could result in full system takeover, data exfiltration, and disruption of critical QA and vulnerability disclosure workflows.
Remediation
Immediate Action: Upgrade to OWASP BLT version 2.1.2 or later immediately to patch the injection vulnerabilities.
Proactive Monitoring: Monitor server logs for suspicious system-level command execution or unusual outbound network traffic originating from the web application server.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common code injection patterns and suspicious payloads in HTTP requests.
Exploitation status
Public Exploit Available: No (Exploit_available: unknown)
Analyst recommendation
Given the severity of the code injection flaw and the existence of a proof-of-concept, administrators should prioritize this update. Immediate patching is the only effective way to eliminate the risk of remote code execution.