Home / Vulnerability Intelligence / CVE-2026-26335

CVE-2026-26335 - Vulnerability Analysis

N/a

Last Updated: February 13, 2026

Calero VeraSMART - Remote Code Execution

Published: February 13, 2026Updated: February 13, 2026PoC Available

Overview

Calero VeraSMART versions prior to 2022 R1 contain a server-side deserialization vulnerability caused by static ASP.NET/IIS machineKey values in web.config, letting attackers craft valid ViewState payloads for remote code execution, exploit requires attacker to obtain machineKey values.

Severity & Score

Severity: N/a

EPSS Score: 8.0%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary code remotely in the IIS application context, potentially compromising the entire server.

Mitigation

Update to version 2022 R1 or later.

References

Social Media Activity(1 post)

Offensive Sequence

@offseq

Feb 14, 2026

CVE-2026-26335 (CRITICAL, CVSS 9.3): Calero VeraSMART <2022 R1 uses hard-coded crypto keys, enabling unauth RCE via crafted ViewState in ASP.NET. No exploits yet, but immediate upgrade or key rotation essential! https://radar.offseq.com/threat/cve-2026-26335-cwe-321-use-of-hard-coded-cryptogra-07023d75 #OffSeq #Vulnerability #Calero #RCE

View original post

GitHub Repositories(1 repo)

https://github.com/mbanyamer/CVE-2026-26335-Calero-VeraSMART-RCE

Related Resources

Details

CVE ID: CVE-2026-26335
Severity: N/a
Type: insecure_deserialization
Status: unconfirmed
EPSS: 8.0%
Social Posts: 1

CWE

CWE-321

CVSS Metrics

N/A

EPSS Score

8.0%Probability of exploitation in the next 30 days