What happened?
Paessler is arranging a joint public disclosure for six vulnerabilities with security researchers on July 9, 2026. Vulnerability details and Proof Of Concept will be shared soon after.
What did we do and what is the outcome?
Paessler released a new version of PRTG that contained fixes for the vulnerabilities. The vulnerabilities were fixed in PRTG version 26.2.120.1449, released on June 3, 2026.
What should you do?
- PRTG Hosted Monitor customers: No action required. Your instance was upgraded to version 26.2.120.1449 on June 24, 2026.
- Self-managed / on-premises customers: Upgrade to PRTG version 26.2.120.1449 as soon as possible.
Issue Details
Introduction
At Paessler, we are committed to ensuring the security and reliability of our products. Recently, we worked with several vulnerability researchers to fix and jointly disclose 6 vulnerabilities in our PRTG Product. This article outlines our response and the steps we have taken to protect your systems and enhance our processes.
Description of the Vulnerabilities
| # | CVE | CVSS v3.1 Base Score | Vulnerability Type | Description | Credit |
|---|---|---|---|---|---|
1 | CVE-2026-4637 | Medium (6.8) | Information Disclosure | We performed sanitization on HTTP error responses to prevent information disclosure. | Johannes Kruchem, |
2 | CVE-2026-4638 | Medium (6.1) | Information Disclosure | We performed sanitization on the URL Path in HTTP error responses to prevent information disclosure | Johannes Kruchem, |
3 | CVE forthcoming | Medium (5.4) | Cross-Site Scripting (XSS) | We enforced input sanitization on object name parameters to defend against possible Cross-Site Scripting. | Yannick Feller, Redguard AG |
4 | CVE forthcoming | Medium (5.3) | Information Disclosure | We sanitized error messages in the event of a 500 internal error to exclude internal information. | Yannick Feller, Redguard AG |
5 | CVE forthcoming | Medium (6.1) | Cross-Site Scripting (XSS) | We hardened PRTG against possible cross-site scripting attacks through certain parameters on the public logon page. | Nick Berrie, Sprocket Security |
6 | CVE forthcoming | Low (3.7) | Authentication Weakness | We improved the authentication implementation of PRTG to defend against potential timing attacks and username enumeration. | Jorge Escabias, NATO Cyber Security Centre |
Potential Impact
Impact varies by vulnerability type:
- Information Disclosure (#1, #2, #4): An attacker could obtain internal system details (including file paths, configuration data, or stack trace information) via crafted requests or by triggering error conditions. This information could be used to aid further, more targeted attacks against the affected instance.
- Cross-Site Scripting (#3, #5): An attacker could craft a malicious link that a PRTG user must click. If clicked, the attacker could execute script in the context of the victim's session, potentially stealing the session cookie and assuming the user's privileges to view data or perform actions the user is authorized to perform.
- Authentication Weakness (#6): An attacker could use timing differences in login responses to determine whether a given username is valid, aiding credential-stuffing or brute-force attacks against real accounts.
- There is no indication that the vulnerabilities were exploited by attackers.
Timeline
| Date | Event |
|---|---|
January 19 – February 4, 2026 | Vulnerabilities reported to Paessler by researchers. |
June 3, 2026 | Release of PRTG version 26.2.120.1449, containing fixes for all six vulnerabilities. |
June 24, 2026 | PRTG Hosted Monitor upgraded to PRTG version 26.2.120.1449. |
July 9, 2026 | Public disclosure of the vulnerabilities, including CVE IDs and PoC details. |
Questions?
If you have questions about this advisory or need assistance upgrading, contact support@paessler.com and ensure to put CVE202606 in the subject (otherwise it might get filtered out).