This is a pre-authenticated remote OS command injection vulnerability in Topsec TopACM 3.0. The flaw exists in the HTTP request handler, allowing attackers to execute arbitrary system commands via maliciously crafted input to the template_path argument. The vendor did not respond to vulnerability disclosure, and public exploit code is available.
Remediation
Isolate affected Topsec TopACM instances from public and untrusted networks. Restrict access to the vulnerable HTTP endpoint via network access controls. If no patch is released by the vendor, consider replacing the affected product with a supported alternative.
Exploit info
The exploit has been released to the public (for example, see https://app.opencve.io/cve/CVE-2026-4170 or https://vuldb.com/). | Potential exploit details can be searched in Exploit-DB or GitHub: https://www.exploit-db.com/search?cve=CVE-2026-4170 | https://github.com/search?q=CVE-2026-4170+exploit
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.