CVE-2026-21708

A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user.

Basic Information

CVE State: PUBLISHED
Reserved Date: January 04, 2026
Published Date: March 12, 2026
Last Updated: May 10, 2026
Vendor: Veeam
Product: Backup and Replication
Description: A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user.

CVSS Scores

CVSS v3.1

10.0 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

SSVC Information

Exploitation: none
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2026-03-13 16:26:50 UTC) Source

References

https://www.veeam.com/kb4831 https://www.veeam.com/kb4830

Known Exploited Vulnerability Information

Source	Added Date
The Shadowserver (via CIRCL)	2026-03-13 16:26:50 UTC

Timeline

CVE ID Reserved

January 04, 2026
CVE Published to Public

March 12, 2026
Added to KEVIntel

March 13, 2026