VDB

CVE-2026-10520

CVE-2026-10520 PUBLISHED KEV CVSS 10 CRITICAL

CVE-2026-10520 is an OS command injection vulnerability with a maximum CVSS score of 10.0 that can be exploited remotely without authentication to execute arbitrary code with root privileges. CVE-2026-10523 is an authentication bypass vulnerability (CVSS:3.1 9.9) that allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access. The flaw enables attackers to circumvent normal authentication mechanisms, fundamentally undermining the security model of the system.

Risk Scores

CVSS 3.1
10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersions
IvantiIvanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions

Exploit Intelligence

…and 125 more exploits

Timeline

  • CVE Published
  • May 16, 2022 CrowdSec Sighting
  • Apr 5, 2023 CrowdSec Sighting
  • Sep 15, 2025 CrowdSec Sighting
  • Jun 11, 2026 CISA KEV Added
  • Jun 11, 2026 PoC Published
  • Jun 11, 2026 Coalition ESS Score
  • Jun 11, 2026 Security Advisory
  • Jun 14, 2026 CrowdSec Sighting

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›