{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26337", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-13T17:28:43.053Z", "datePublished": "2026-02-19T17:01:25.527Z", "dateUpdated": "2026-02-20T19:08:14.840Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["ATS"], "product": "Alfresco Transformation Service (Enterprise)", "vendor": "Hyland", "versions": [{"lessThan": "4.3.0", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "modules": ["Transform Core AIO"], "product": "Alfresco Community (Transform Core)", "repo": "https://github.com/Alfresco/alfresco-transform-core", "vendor": "Hyland", "versions": [{"lessThan": "5.3.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Piotr Bazydlo (@chudyPB) of watchTowr"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve both arbitrary file read and server-side request forgery through the absolute path traversal."}], "value": "Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve both arbitrary file read and server-side request forgery through the absolute path traversal."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.8, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-36", "description": "CWE-36 Absolute Path Traversal", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-02-20T14:52:35.768Z"}, "references": [{"tags": ["vendor-advisory", "patch"], "url": "https://connect.hyland.com/t5/alfresco-blog/security-update-cve-2026-26337-cve-2026-26338-cve-2026-26339/ba-p/496551"}, {"tags": ["product"], "url": "https://www.hyland.com/en/solutions/products/alfresco-platform"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/hyland-alfresco-transformation-service-absolute-path-traversal-arbitrary-file-read-and-ssrf"}], "source": {"discovery": "EXTERNAL"}, "title": "Hyland Alfresco Transformation Service Absolute Path Traversal Arbitrary File Read and SSRF", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T19:07:47.500155Z", "id": "CVE-2026-26337", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T19:08:14.840Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26337", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T19:07:47.500155Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T19:08:03.544Z"}}], "cna": {"title": "Hyland Alfresco Transformation Service Absolute Path Traversal Arbitrary File Read and SSRF", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Piotr Bazydlo (@chudyPB) of watchTowr"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Hyland", "modules": ["ATS"], "product": "Alfresco Transformation Service (Enterprise)", "versions": [{"status": "affected", "version": "0", "lessThan": "4.3.0", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"repo": "https://github.com/Alfresco/alfresco-transform-core", "vendor": "Hyland", "modules": ["Transform Core AIO"], "product": "Alfresco Community (Transform Core)", "versions": [{"status": "affected", "version": "0", "lessThan": "5.3.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://connect.hyland.com/t5/alfresco-blog/security-update-cve-2026-26337-cve-2026-26338-cve-2026-26339/ba-p/496551", "tags": ["vendor-advisory", "patch"]}, {"url": "https://www.hyland.com/en/solutions/products/alfresco-platform", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/hyland-alfresco-transformation-service-absolute-path-traversal-arbitrary-file-read-and-ssrf", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve both arbitrary file read and server-side request forgery through the absolute path traversal.", "supportingMedia": [{"type": "text/html", "value": "Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve both arbitrary file read and server-side request forgery through the absolute path traversal.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-36", "description": "CWE-36 Absolute Path Traversal"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-02-20T14:52:35.768Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26337", "state": "PUBLISHED", "dateUpdated": "2026-02-20T19:08:14.840Z", "dateReserved": "2026-02-13T17:28:43.053Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-02-19T17:01:25.527Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hyland:alfresco_transform_service:*:*:*:*:*:*:*:*", "matchCriteriaId": "1AFF4310-3BA6-40A0-8609-388233D68447", "versionEndExcluding": "4.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hyland:alfresco_transform_core:*:*:*:*:*:*:*:*", "matchCriteriaId": "C0151795-79BD-4D1C-AD6D-92AA77AF3200", "versionEndExcluding": "5.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hyland:alfresco_transform_core:5.3.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "3C234CF3-DCAF-4A0C-93B5-82BFFE7EF5AD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve both arbitrary file read and server-side request forgery through the absolute path traversal."}, {"lang": "es", "value": "El Servicio de Transformaci\u00f3n Hyland Alfresco permite a atacantes no autenticados lograr tanto la lectura arbitraria de archivos como la falsificaci\u00f3n de petici\u00f3n del lado del servidor a trav\u00e9s del salto de ruta absoluto."}], "id": "CVE-2026-26337", "lastModified": "2026-03-02T22:03:57.953", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "disclosure@vulncheck.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-02-19T18:24:59.730", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Vendor Advisory"], "url": "https://connect.hyland.com/t5/alfresco-blog/security-update-cve-2026-26337-cve-2026-26338-cve-2026-26339/ba-p/496551"}, {"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://www.hyland.com/en/solutions/products/alfresco-platform"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/hyland-alfresco-transformation-service-absolute-path-traversal-arbitrary-file-read-and-ssrf"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-36"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Alfresco Community (Transform Core)", "source": "cna", "vendor": "Hyland"}, "product": "alfresco_community", "vendor": "hyland"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Alfresco Transformation Service (Enterprise)", "source": "cna", "vendor": "Hyland"}, "product": "alfresco_transformation_service", "vendor": "hyland"}], "analysis": {"en": {"generated_at": "2026-04-17T18:02:47.118060+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011issued patch or update to a fixed release of the Transform Core or Transformation Service", "If a patch is not yet available, restrict network access to the service or place it behind a firewall so that only trusted hosts can reach it", "Disable the affected transformation endpoint or enforce strict input validation rules to prevent unintended file access and remove any ability to specify absolute paths"], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Read and SSRF"}, "threat_synthesis": {"affected_systems": "Hyland Alfresco Community (Transform Core) and Hyland Alfresco Transformation Service (Enterprise) are impacted. No specific patch level is mentioned in the advisory, so all deployed instances of these products remain vulnerable until an official release addresses the issue.", "description_and_impact": "The vulnerability in the Hyland Alfresco Transformation Service allows an attacker without authentication to read any file on the hosting system via an absolute path traversal in the service\u2019s request handling, and to craft requests that reach internal or external servers through Server\u2011Side Request Forgery. This is a classic path\u2011traversal weakness numbered CWE\u201136, and it can lead to disclosure of sensitive configuration or credential files as well as enabling further lateral movement or exfiltration through forged requests.", "risk_and_exploitability": "The CVSS score of 8.8 classifies the flaw as high severity. The EPSS score of less than 1% indicates that real\u2011world exploitation is unlikely but not impossible, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers can likely exploit the flaw by sending crafted HTTP requests to the transformation endpoint, and because no authentication is required, the attack surface is broad. The risk to an organization depends on network exposure of the service; an internal or externally reachable instance increases the threat."}}}}, "created": "2026-02-20T10:06:19.293665+00:00", "updated": "2026-04-17T18:15:26.767218+00:00", "vendors": ["hyland", "hyland$PRODUCT$alfresco_community", "hyland$PRODUCT$alfresco_transformation_service"]}