Home / Vulnerability Intelligence / CVE-2026-39911

CVE-2026-39911 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: April 9, 2026

Hashgraph Guardian - Remote Code Execution & Privilege Escalation

Published: April 9, 2026Updated: April 9, 2026Remote Exploitable

Overview

Hashgraph Guardian through version 3.5.0 contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker, letting authenticated Standard Registry users execute arbitrary code and access sensitive data, exploit requires authentication.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Authenticated users can execute arbitrary code, read sensitive files, and forge authentication tokens, leading to full system compromise.

Mitigation

Update to a version later than 3.5.0 or the latest available version.

References

https://github.com/hashgraph/guardian/pull/5929
https://www.vulncheck.com/advisories/hashgraph-guardian-unsandboxed-javascript-execution-rce

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-39911
Severity: High
CVSS Score: 8.8
Type: undefined
Status: new

CWE

CWE-668

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H