CVE-2026-5426

Summary

Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks

Affected Software

VendorProductVersion RangeStatus
Digital KnowledgeKnowledgeDeliver0 < 20260224affected

Weaknesses

  • CWE-321: CWE-321 Use of hard-coded cryptographic key
  • CWE-502: CWE-502 Deserialization of untrusted data

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References