CVE-2026-44860

⚠️ high

Summary

SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system.

CVSS Score

7.2

High

EPSS Score

0.0

Exploit Probability

Published Date

2026-05-12

First Seen: 2026-05-17

📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 55.6% of all 321,566 vulnerabilities in our database.

#142,887

Above average severity

Severity Percentile

🎯 CISA SSVC Assessment Updated: May 13, 2026

🔍 Exploitation Status

None

No known exploits

⚙️ Automatable

Requires human interaction

💥 Technical Impact

Total

Complete system compromise possible

🏆 Discovered By

zzcentury (reporter)

SSVC data provided by CISA

Last Modified 2026-05-14

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE IDs (Weakness Types)

CWE-89

📦 Affected Products 7

Vendor	Product	Status	Affected Versions
arubanetworks	arubaos	Affected	> 10.4.0.0 < 10.4.1.11
arubanetworks	arubaos	Affected	> 10.5.0.0 < 10.7.2.3
arubanetworks	arubaos	Affected	> 6.5.4.0 < 8.10.0.22
arubanetworks	arubaos	Affected	> 8.11.0.0 < 8.12.0.7
arubanetworks	arubaos	Affected	> 8.13.0.0 < 8.13.1.2
arubanetworks	sd-wan	Affected	> 8.6.0.4-2.2.0.0 < 8.6.0.4-2.2.0.7
arubanetworks	sd-wan	Affected	> 8.7.0.0-2.3.0.0 < 8.7.0.0-2.3.0.9

🔗 References 1

https://support.hpe.com/hpesc/public/docDisplay?docI...

Vendor Advisory

🔗 Related CVEs 6

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2026-23824	⚠️ high	7.5	0.0	Vulnerabilities exist in a protocol-handling component of AOS-8 and AOS-10 Operating Systems. An unauthenticated attacke...	2026-05-12
CVE-2026-23825	⚠️ high	7.5	0.1	Vulnerabilities exist in a protocol-handling component of AOS-8 and AOS-10 Operating Systems. An unauthenticated attacke...	2026-05-12
CVE-2026-23826	⚠️ high	7.5	0.1	A vulnerability in a network management service of AOS-8 Operating System could allow an unauthenticated remote attacker...	2026-05-12
CVE-2026-23827	⚠️ high	7.5	0.1	A heap-based buffer overflow vulnerability exists in a Network management service of AOS-8 and AOS-10 that could allow a...	2026-05-12
CVE-2026-44852	⚠️ high	7.2	0.1	An authenticated remote code execution vulnerability exists in the AOS-8 and AOS-10 web-based management interface. A vu...	2026-05-12
CVE-2026-44853	⚠️ high	7.2	0.2	Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Suc...	2026-05-12

These CVEs affect the same products