CVE-2026-5426 in Digital Knowledge KnowledgeDeliver LMS is an actively exploited unauthenticated remote code execution vulnerability rooted in a static ASP.NET machineKey shipped in the vendor’s web.config. Confirmed exploitation has delivered the Godzilla web shell, tampered with production JavaScript served to site visitors, and deployed Cobalt Strike Beacon in at least one targeted environment. Any internet-facing KnowledgeDeliver instance running a version prior to the February 24, 2026 patch should be treated as potentially compromised and isolated or WAF-restricted immediately.