{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5414", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-02T08:02:15.811Z", "datePublished": "2026-04-02T18:00:16.065Z", "dateUpdated": "2026-04-02T18:41:43.908Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-02T18:00:16.065Z"}, "title": "Newgen OmniDocs WebApiRequestRedirection resource injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-99", "lang": "en", "description": "Improper Control of Resource Identifiers"}]}], "affected": [{"vendor": "Newgen", "product": "OmniDocs", "versions": [{"version": "12.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Newgen OmniDocs up to 12.0.00. Affected by this issue is some unknown functionality of the file /omnidocs/WebApiRequestRedirection. The manipulation of the argument DocumentId results in improper control of resource identifiers. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-02T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-02T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-02T10:07:24.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "kushkira (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/354829", "name": "VDB-354829 | Newgen OmniDocs WebApiRequestRedirection resource injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354829/cti", "name": "VDB-354829 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/781765", "name": "Submit #781765 | Newgen Software Newgen OmniDocs 12.0.00 Insecure Direct Object Reference", "tags": ["third-party-advisory"]}, {"url": "https://drive.google.com/file/d/1lYPiqFQd5JoZpIrIh8ohD-7emzGSW0SV/view?usp=sharing", "tags": ["broken-link", "exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T18:41:33.926447Z", "id": "CVE-2026-5414", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T18:41:43.908Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5414", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-02T08:02:15.811Z", "datePublished": "2026-04-02T18:00:16.065Z", "dateUpdated": "2026-04-02T18:41:43.908Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-02T18:00:16.065Z"}, "title": "Newgen OmniDocs WebApiRequestRedirection resource injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-99", "lang": "en", "description": "Improper Control of Resource Identifiers"}]}], "affected": [{"vendor": "Newgen", "product": "OmniDocs", "versions": [{"version": "12.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Newgen OmniDocs up to 12.0.00. Affected by this issue is some unknown functionality of the file /omnidocs/WebApiRequestRedirection. The manipulation of the argument DocumentId results in improper control of resource identifiers. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-02T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-02T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-02T10:07:24.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "kushkira (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/354829", "name": "VDB-354829 | Newgen OmniDocs WebApiRequestRedirection resource injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354829/cti", "name": "VDB-354829 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/781765", "name": "Submit #781765 | Newgen Software Newgen OmniDocs 12.0.00 Insecure Direct Object Reference", "tags": ["third-party-advisory"]}, {"url": "https://drive.google.com/file/d/1lYPiqFQd5JoZpIrIh8ohD-7emzGSW0SV/view?usp=sharing", "tags": ["broken-link", "exploit"]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5414", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T18:41:33.926447Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T18:41:38.682Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Newgen OmniDocs up to 12.0.00. Affected by this issue is some unknown functionality of the file /omnidocs/WebApiRequestRedirection. The manipulation of the argument DocumentId results in improper control of resource identifiers. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-5414", "lastModified": "2026-04-24T18:13:28.877", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-02T18:16:35.777", "references": [{"source": "cna@vuldb.com", "url": "https://drive.google.com/file/d/1lYPiqFQd5JoZpIrIh8ohD-7emzGSW0SV/view?usp=sharing"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/781765"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354829"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354829/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-99"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "12.0"}}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 88.0, "source": "matching"}]}, "original": {"product": "OmniDocs", "source": "cna", "vendor": "Newgen"}, "product": "omnidocs", "vendor": "newgensoft"}], "analysis": {"en": {"generated_at": "2026-04-02T23:14:36.518775+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011issued patch or upgrade to a version newer than 12.0.00.", "If no patch exists, block external traffic to the /omnidocs/WebApiRequestRedirection endpoint using firewall rules or network segmentation until remediation is available.", "Enforce input validation for the DocumentId parameter or whitelist acceptable values to prevent arbitrary resource access.", "Monitor Newgen security advisories and threat intelligence feeds for updates or additional mitigations.", "Verify that the vendor\u2019s update resolves the issue by testing the endpoint after patching."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized data access via resource injection"}, "threat_synthesis": {"affected_systems": "The flaw is present in all releases of Newgen OmniDocs up to and including version 12.0.00, with no additional sub-version constraints reported.", "description_and_impact": "A vulnerability was identified in Newgen OmniDocs versions up to 12.0.00 that affects the /omnidocs/WebApiRequestRedirection endpoint. Manipulation of the DocumentId parameter gives an adversary improper control of resource identifiers - a CWE-99 issue - which can enable an attacker to request resources that should not be accessible or redirect the application to unintended content. This flaw allows remote exploitation and can lead to unauthorized disclosure of data or unexpected behavior within the OmniDocs platform.", "risk_and_exploitability": "The CVSS score of 6.9 indicates moderate severity, and the publicly released exploit suggests that attackers already have usable code. The absence of an EPSS score and the fact that the vulnerability is not listed in the CISA KEV catalog do not diminish the real-world risk, as the flaw can be triggered from a remote location without authentication, as inferred from the description. Therefore, the risk remains high until a patch is applied or the vulnerable endpoint is otherwise mitigated."}}}}, "created": "2026-04-03T08:58:01.984050+00:00", "updated": "2026-04-03T09:17:06.132500+00:00", "vendors": ["newgensoft", "newgensoft$PRODUCT$omnidocs"]}