CRITICALCVE-2026-2731Published 2026-02-19Modified 2026-02-19CNA NCSC-FI

CVE-2026-2731: Unauthenticated RCE in Dynamicweb 9 and Dynamicweb 8

Path traversal and content injection in JobRunnerBackground.aspx in DynamicWeb 8 (all) and 9 (<9.19.7 and <9.20.3) allows unauthenticated attackers to execute code via simple web requests

CVSS v4.0: 10.0
Severity: CRITICAL
Fixed in: 9.19.7
Affected Products: 1

Fix available

9.19.79.20.39.21.010

Affected packages

DynamicWeb / DynamicWeb 9
8 · < 9.19.7 (from 9) · < 9.20.3 (from 9.20.0)
Fixed in 9.21.0, 10

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

doc.dynamicweb.dev

Metrics

Fix available