What is the CVSS score of CVE-2026-26142?

CVE-2026-26142 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of Nuance PowerScribe are affected by CVE-2026-26142?

Nuance PowerScribe, a mission-critical clinical radiology reporting platform deployed across hospital networks, is vulnerable to unauthenticated remote code execution that could compromise protected…. A patch is available.

How to fix or mitigate CVE-2026-26142?

Within 24 hours: Inventory all PowerScribe installations and restrict network-layer access to essential clinical departments only; enable detailed application logging and alert on deserialization-related events. Within 7 days: Deploy network segmentation isolating PowerScribe systems from general hospital networks; enforce re-authentication for all access via VPN or identity provider; document current system state and verify backup integrity. Within 30 days: Contact Nuance for patch availability timeline and interim security updates; complete risk assessment for temporary service restrictions or clinical workflow modifications pending remediation.

Nuance PowerScribe CVE-2026-26142

EUVD-2026-35530 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2026-06-09 secure@microsoft.com

GHSA-7w62-gvgg-pvvq

Deserialization

9.8

CVSS 3.1 · NVD

Temporal: 8.5

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CIRCL (temporal)

8.5 HIGH

cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

Jun 09, 2026 - 19:03 EUVD

Analysis Generated

Jun 09, 2026 - 17:30 vuln.today

DescriptionCVE.org

Deserialization of untrusted data in Nuance PowerScribe allows an unauthorized attacker to execute code over a network.

AnalysisAI

Remote code execution in Nuance PowerScribe allows unauthenticated network attackers to run arbitrary code by submitting maliciously crafted serialized objects to the application. The flaw is a CWE-502 untrusted-data deserialization issue carrying a critical CVSS 9.8 score, reported through Microsoft Security Response Center; no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Gain access to clinical network segment

Delivery

Identify PowerScribe service endpoint

Exploit

Send crafted serialized object payload

Install

Trigger unsafe deserialization gadget chain

Execute code as PowerScribe service account

Execute

Pivot to PACS/RIS/EHR systems

Impact

Exfiltrate PHI or deploy ransomware

Recon

Gain access to clinical network segment

Delivery

Identify PowerScribe service endpoint

Exploit

Send crafted serialized object payload

Install

Trigger unsafe deserialization gadget chain

Execute code as PowerScribe service account

Execute

Pivot to PACS/RIS/EHR systems

Impact

Exfiltrate PHI or deploy ransomware

Vulnerability AssessmentAI

Exploitation	Network reachability to the vulnerable Nuance PowerScribe service is required, along with the ability to submit a serialized object to whichever endpoint performs the unsafe deserialization; per CVSS PR:N and UI:N, no authentication and no user interaction are needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) describes the worst-case profile: network-reachable, low-complexity, no authentication, no user interaction, and full compromise of confidentiality, integrity, and availability - the standard 9.8 critical pattern for unauth RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with network access to a hospital's clinical VLAN - obtained via a compromised workstation, a misconfigured VPN, or a malicious insider - sends a crafted serialized payload containing a known gadget chain to the PowerScribe service port. Deserialization triggers code execution under the PowerScribe service account, giving the attacker a foothold on a server that handles radiology reports and is typically integrated with PACS, RIS, and EHR systems, enabling lateral movement into PHI repositories or pre-positioning for ransomware.
Remediation	Patch availability per the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26142 should be reviewed and applied - specific fix version is not stated in the provided data and must be retrieved from MSRC. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all PowerScribe installations and restrict network-layer access to essential clinical departments only; enable detailed application logging and alert on deserialization-related events. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-26142 vulnerability details – vuln.today

Back

Nuance PowerScribe CVE-2026-26142

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code