CVE-2026-25856

Severity CVSS v4.0:
HIGH
Type:
CWE-94 Code Injection
Publication date:
08/06/2026
Last modified:
09/06/2026

Description

OpenBullet2 through version 0.3.2 contains an authenticated remote code execution vulnerability that allows authenticated users to execute arbitrary C# code on the server host by creating or modifying job configurations. Attackers can leverage the plain C# execution mode, which lacks reference filtering or API restrictions, to access the file system, spawn processes, and invoke arbitrary .NET APIs as the process user.