Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitrary code on…

CVE-2026-32999 is a vulnerability in Comet Backup server's backup agent signing module that allows authenticated tenant administrators to execute arbitrary code with privileged user permissions. The issue stems from insufficient character filtering in the branding configuration functionality. This remote code execution vulnerability affects both the server and connected devices. Successful exploitation requires tenant administrator authentication but can lead to complete system compromise. The vulnerability impacts the backup agent signing module specifically.