CVE-2026-21671NVD

Vulnerability Summary

A vulnerability allowing an authenticated user with the Backup Administrator role to perform remote code execution (RCE) in high availability (HA) deployments of Veeam Backup & Replication.

Severity Level

CRITICAL(9.1)

Published Date

Mar 12, 2026

Last Modified

May 10, 2026

Exploitation Status

UNKNOWN

Root Weakness (CWE)

CWE-94: Code Injection ↗

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended syntax or behavior.

EPSS Score (30-Day)

0.16%Probability

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredHigh

User InteractionNone

ScopeChanged

ConfidentialityHigh

IntegrityHigh

AvailabilityHigh

External References

https://www.veeam.com/kb4831