Catalyst Affected by Remote Code Execution as Root via Containerized...

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

Catalyst is a platform built for enterprise game server hosts, game communities, and billing panel integrations. Install scripts defined in server templates execute directly on the host operating system as root via bash -c, with no sandboxing or containerization. Any user with template.create or template.update permission can define arbitrary shell commands that achieve full root-level remote code execution on every node machine in the cluster. This vulnerability is fixed in commit 11980aaf3f46315b02777f325ba02c56b110165d.

AI Analysis

Remote code execution vulnerability in Catalyst due to unsanitized bash commands in server templates

Basic Information

ID CVE-2026-26009

Source GitHub_M

Published Feb 10, 2026 at 18:58

Modified Feb 10, 2026 at 19:10

Affected Product

Vendor karutoil

Product catalyst

Version < 11980aaf3f46315b02777f325ba02c56b110165d

Affected Versions karutoil catalyst < 11980aaf3f46315b02777f325ba02c56b110165d

CWE Classification

CWE-78

AI Assessment

AI Score 10 / 10

AI Severity Critical

Vendor karutoil

Product Catalyst

Version < 11980aaf3f46315b02777f325ba02c56b110165d

References

{
    "lastseen": "",
    "description": "Catalyst is a platform built for enterprise game server hosts, game communities, and billing panel integrations. Install scripts defined in server templates execute directly on the host operating system as root via bash -c, with no sandboxing or containerization. Any user with template.create or template.update permission can define arbitrary shell commands that achieve full root-level remote code execution on every node machine in the cluster. This vulnerability is fixed in commit 11980aaf3f46315b02777f325ba02c56b110165d.",
    "published": "2026-02-10T18:58:02.732Z",
    "modified": "2026-02-10T19:10:21.719Z",
    "type": "cve",
    "title": "Catalyst Affected by Remote Code Execution as Root via Containerized Install Script Execution",
    "source": "GitHub_M",
    "references": "https://github.com/karutoil/catalyst/security/advisories/GHSA-xv5r-cpcw-8wr3\nhttps://github.com/karutoil/catalyst/commit/11980aaf3f46315b02777f325ba02c56b110165d",
    "id": "CVE-2026-26009",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78"
    ],
    "cvelist": null,
    "sourceData": "karutoil catalyst < 11980aaf3f46315b02777f325ba02c56b110165d",
    "sourceHref": "",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "catalyst",
    "version": "< 11980aaf3f46315b02777f325ba02c56b110165d",
    "vendor": "karutoil",
    "ai_description": "Remote code execution vulnerability in Catalyst due to unsanitized bash commands in server templates",
    "ai_severity": "Critical",
    "ai_vendor": "karutoil",
    "ai_product": "Catalyst",
    "ai_version": "< 11980aaf3f46315b02777f325ba02c56b110165d",
    "ai_score": 10
}

Catalyst Affected by Remote Code Execution as Root via Containerized Install Script Execution_CVE-2026-26009