CVE-2026-5426
9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Digital Knowledge | KnowledgeDeliver | 0 < 20260224 | affected |
Weaknesses
- CWE-321: CWE-321 Use of hard-coded cryptographic key
- CWE-502: CWE-502 Deserialization of untrusted data
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0009.md
- https://www.digital-knowledge.co.jp/product/kd/
- https://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.