CVE

CVE-2026-26009

Catalyst Affected by Remote Code Execution as Root via Containerized Install Script Execution

CVE

CVE-2026-26009

Catalyst Affected by Remote Code Execution as Root via Containerized Install Script Execution

Catalyst is a platform built for enterprise game server hosts, game communities, and billing panel integrations. Install scripts defined in server templates execute directly on the host operating system as root via bash -c, with no sandboxing or containerization. Any user with template.create or template.update permission can define arbitrary shell commands that achieve full root-level remote code execution on every node machine in the cluster. This vulnerability is fixed in commit 11980aaf3f46315b02777f325ba02c56b110165d.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

9.9

3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Related Resources

No items found.

References

https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26009.json, https://github.com/karutoil/catalyst/commit/11980aaf3f46315b02777f325ba02c56b110165d, https://github.com/karutoil/catalyst/security/advisories/GHSA-xv5r-cpcw-8wr3, https://nvd.nist.gov/vuln/detail/CVE-2026-26009

Severity

9.9

CVSS Score

Basic Information

Ecosystem

Base CVSS

9.9

EPSS Probability

0.00291%

EPSS Percentile

0.52114%

Introduced Version

Fix Available

11980aaf3f46315b02777f325ba02c56b110165d

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2026-26009

CVE-2026-26009

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

9.9

Basic Information

Fix Critical Vulnerabilities Instantly