CVE-2026-5426CRITICAL 9.1EPSS p52.1%

CVE-2026-5426CVE-2026-5426

Description

Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.81% probability of exploitation · percentile 52.1% · 2026-06-18T12:00:27Z
Published2026-04-16
Last modified2026-05-26

Underlying weaknesses· 2

CWE-321CWE-502

References

  1. https://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability
  2. https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0009.md
  3. https://www.digital-knowledge.co.jp/product/kd/

2

TypeTargetConfidenceTier
WeaknessUse of Hard-coded Cryptographic Keycwe-3210%live
WeaknessDeserialization of Untrusted Datacwe-5020%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-26335
CVE
CVE-2025-21176
CVE
Gladinet CentreStack and Triofox Use of Hard-coded Cryptographic Key Vulnerability
CVE
Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability
CVE
CVE-2026-40372
CVE
Microsoft .NET Framework Remote Code Execution Vulnerability
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.