CVE-2026-8037 is a pre-authentication Remote Code Execution vulnerability in Progress Kemp LoadMaster caused by an uninitialized heap buffer and missing null terminator in the escape_quotes() function. When the API is enabled, an unauthenticated attacker can send a crafted POST request to /accessv2 with JSON key/value pairs that spray command injection payloads onto the heap, then use single-quote expansion in the apiuser field to overwrite adjacent allocator metadata, causing the unescaped payload to be read and executed via system().