A critical remote code execution vulnerability has been discovered in libwebcore, an open-source library used by an estimated 15,000 enterprise applications for web content processing, prompting an emergency patch cycle across the software industry.
Vulnerability Details
The flaw, tracked as CVE-2026-2847 with a CVSS score of 9.8, allows attackers to execute arbitrary code by sending specially crafted HTTP requests to any application using libwebcore versions 3.2 through 4.1.
- Proof-of-concept exploit code was published 6 hours before the patch was available
- Active exploitation detected in the wild targeting financial services and healthcare sectors
- Major cloud providers including AWS, Azure, and GCP have applied mitigations at the infrastructure level
Response
CISA has issued an emergency directive requiring all federal agencies to patch within 48 hours. The incident reignites debate about open-source software security funding, as libwebcore was maintained by a single volunteer developer until the vulnerability was reported.
