{"id":"CVE-2021-26814","details":"Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service script.","aliases":["GHSA-w36g-q975-37rg"],"modified":"2026-04-02T06:48:22.352907Z","published":"2021-03-06T02:15:12.100Z","references":[{"type":"ADVISORY","url":"https://github.com/wazuh/wazuh/releases/tag/v4.0.4"},{"type":"ADVISORY","url":"https://documentation.wazuh.com/4.0/release-notes/release_4_0_4.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wazuh/wazuh","events":[{"introduced":"8c2c62a6e9dcbcf2c792f7924e8cfdb26842820b"},{"last_affected":"b839f0222c011d5f271d97189be51bc1d8e6c45b"},{"fixed":"e79fcc448e372e06c83c4d5f45f9e9c36c67b525"}],"database_specific":{"versions":[{"introduced":"4.0.0"},{"last_affected":"4.0.3"}]}}],"versions":["v4.0.0","v4.0.1","v4.0.2","v4.0.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-26814.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}