CVE-2026-5426 is a critical unauthenticated remote code execution vulnerability in KnowledgeDeliver LMS, caused by hardcoded ASP.NET machine keys identical across all customer deployments. Exploitation is confirmed active, with attackers deploying in-memory web shells, tampering with browser-delivered JavaScript to target end users, and delivering Cobalt Strike BEACON implants via the compromised LMS. Any internet-facing KnowledgeDeliver LMS instance should be treated as potentially compromised pending investigation.