Unauthenticated RCE in Dynamicweb 9 and Dynamicweb 8_CVE-2026-2731

10 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

Path traversal and content injection in JobRunnerBackground.aspx in DymaicWeb 8 (all) and 9 (<9.19.7 and <9.20.3) allows unauthenticated attackers to execute code via simple web requests

AI Analysis

Unauthenticated attackers can execute code via simple web requests due to path traversal and content injection in JobRunnerBackground.aspx

Basic Information

ID CVE-2026-2731

Source NCSC-FI

Published Feb 19, 2026 at 06:46

Affected Product

Vendor DynamicWeb

Product DynamicWeb 9

Version 8

Affected Versions DynamicWeb DynamicWeb 9 8
DynamicWeb DynamicWeb 9 9
DynamicWeb DynamicWeb 9 9.20.0

CWE Classification

CWE-22

AI Assessment

AI Score 10 / 10

AI Severity Critical

Vendor DynamicWeb

Product DynamicWeb 8 and 9

Version 8, 9 (<9.19.7 and <9.20.3)

References

doc.dynamicweb.dev /documentation/fundamentals/dw10release/security-reports.html

{
    "lastseen": "",
    "description": "Path traversal and content injection in JobRunnerBackground.aspx in DymaicWeb 8 (all) and 9 (<9.19.7 and <9.20.3) allows unauthenticated attackers to execute code via simple web requests",
    "published": "2026-02-19T06:46:52.763Z",
    "modified": "2026-02-19T06:46:52.763Z",
    "type": "cve",
    "title": "Unauthenticated RCE in Dynamicweb 9 and Dynamicweb 8",
    "source": "NCSC-FI",
    "references": "https://doc.dynamicweb.dev/documentation/fundamentals/dw10release/security-reports.html#january-19th-2026---unauthenticated-rce-dynamicweb-9-and-dynamicweb-8",
    "id": "CVE-2026-2731",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "DynamicWeb DynamicWeb 9 8\nDynamicWeb DynamicWeb 9 9\nDynamicWeb DynamicWeb 9 9.20.0",
    "sourceHref": "",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "DynamicWeb 9",
    "version": "8",
    "vendor": "DynamicWeb",
    "ai_description": "Unauthenticated attackers can execute code via simple web requests due to path traversal and content injection in JobRunnerBackground.aspx",
    "ai_severity": "Critical",
    "ai_vendor": "DynamicWeb",
    "ai_product": "DynamicWeb 8 and 9",
    "ai_version": "8, 9 (<9.19.7 and <9.20.3)",
    "ai_score": 10
}