{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26339", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-13T17:28:43.053Z", "datePublished": "2026-02-19T17:04:46.617Z", "dateUpdated": "2026-02-20T20:31:03.964Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["ATS"], "product": "Alfresco Transformation Service (Enterprise)", "vendor": "Hyland", "versions": [{"lessThan": "4.2.3", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "modules": ["Transform Core AIO"], "product": "Alfresco Community (Transform Core)", "repo": "https://github.com/Alfresco/alfresco-transform-core", "vendor": "Hyland", "versions": [{"lessThan": "5.2.4", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Piotr Bazydlo (@chudyPB) of watchTowr"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve remote code execution through the argument injection vulnerability, which exists in the document processing functionality."}], "value": "Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve remote code execution through the argument injection vulnerability, which exists in the document processing functionality."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-02-20T14:53:28.318Z"}, "references": [{"tags": ["vendor-advisory", "patch"], "url": "https://connect.hyland.com/t5/alfresco-blog/security-update-cve-2026-26337-cve-2026-26338-cve-2026-26339/ba-p/496551"}, {"tags": ["product"], "url": "https://www.hyland.com/en/solutions/products/alfresco-platform"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/hyland-alfresco-transformation-service-argument-injection-rce"}], "source": {"discovery": "EXTERNAL"}, "title": "Hyland Alfresco Transformation Service Argument Injection RCE", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T20:30:50.964530Z", "id": "CVE-2026-26339", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T20:31:03.964Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26339", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-20T20:30:50.964530Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T20:30:58.120Z"}}], "cna": {"title": "Hyland Alfresco Transformation Service Argument Injection RCE", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Piotr Bazydlo (@chudyPB) of watchTowr"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Hyland", "modules": ["ATS"], "product": "Alfresco Transformation Service (Enterprise)", "versions": [{"status": "affected", "version": "0", "lessThan": "4.2.3", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"repo": "https://github.com/Alfresco/alfresco-transform-core", "vendor": "Hyland", "modules": ["Transform Core AIO"], "product": "Alfresco Community (Transform Core)", "versions": [{"status": "affected", "version": "0", "lessThan": "5.2.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://connect.hyland.com/t5/alfresco-blog/security-update-cve-2026-26337-cve-2026-26338-cve-2026-26339/ba-p/496551", "tags": ["vendor-advisory", "patch"]}, {"url": "https://www.hyland.com/en/solutions/products/alfresco-platform", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/hyland-alfresco-transformation-service-argument-injection-rce", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve remote code execution through the argument injection vulnerability, which exists in the document processing functionality.", "supportingMedia": [{"type": "text/html", "value": "Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve remote code execution through the argument injection vulnerability, which exists in the document processing functionality.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-02-20T14:53:28.318Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26339", "state": "PUBLISHED", "dateUpdated": "2026-02-20T20:31:03.964Z", "dateReserved": "2026-02-13T17:28:43.053Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-02-19T17:04:46.617Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hyland:alfresco_transform_service:*:*:*:*:*:*:*:*", "matchCriteriaId": "071BB562-3270-4D05-A345-3A3719DB0AA3", "versionEndExcluding": "4.2.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hyland:alfresco_transform_core:*:*:*:*:*:*:*:*", "matchCriteriaId": "80D47CD5-CCAA-469A-BC84-7D1ACABBA4B3", "versionEndExcluding": "5.2.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve remote code execution through the argument injection vulnerability, which exists in the document processing functionality."}, {"lang": "es", "value": "Hyland Alfresco Transformation Service permite a atacantes no autenticados lograr ejecuci\u00f3n remota de c\u00f3digo a trav\u00e9s de la vulnerabilidad de inyecci\u00f3n de argumentos, que existe en la funcionalidad de procesamiento de documentos."}], "id": "CVE-2026-26339", "lastModified": "2026-03-02T22:07:07.077", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-02-19T18:25:00.133", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Vendor Advisory"], "url": "https://connect.hyland.com/t5/alfresco-blog/security-update-cve-2026-26337-cve-2026-26338-cve-2026-26339/ba-p/496551"}, {"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://www.hyland.com/en/solutions/products/alfresco-platform"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/hyland-alfresco-transformation-service-argument-injection-rce"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.2.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Alfresco Community (Transform Core)", "source": "cna", "vendor": "Hyland"}, "product": "alfresco_community", "vendor": "hyland"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.2.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Alfresco Transformation Service (Enterprise)", "source": "cna", "vendor": "Hyland"}, "product": "alfresco_transformation_service", "vendor": "hyland"}], "analysis": {"en": {"generated_at": "2026-04-17T18:02:33.715599+00:00", "value": {"mitigation_remediation": ["Apply the latest security update or patch released by Hyland that addresses the argument injection in the transformation service.", "If no patch is immediately available, limit access to the transformation service so that only trusted hosts or internal users can submit document processing requests.", "As a temporary workaround, enforce authentication for all requests to the document processing endpoint or disable the transformation feature until a patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected products are Hyland's Alfresco Community (Transform Core) and Hyland's Alfresco Transformation Service (Enterprise). No specific version information was supplied, so all deployments of these products may be vulnerable.", "description_and_impact": "Hyland Alfresco Transformation Service permits unauthenticated attackers to inject arguments into the document processing function, leading to remote code execution. The vulnerability is classified as argument injection (CWE\u2011918) and carries a CVSS score of 9.3, indicating a severe risk when exploited.", "risk_and_exploitability": "The likelihood of exploitation presently appears low, with an EPSS score of less than 1%. However, the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, implying no active exploitation reported at this time. Attackers would likely exploit the service by sending crafted documents or parameters that trigger the injection, granting them the ability to run arbitrary commands without authentication."}}}}, "created": "2026-02-20T10:06:17.689697+00:00", "updated": "2026-04-17T18:15:26.766171+00:00", "vendors": ["hyland", "hyland$PRODUCT$alfresco_community", "hyland$PRODUCT$alfresco_transformation_service"]}