Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Improper Control of Generation of Code ('Code Injection') vulnerability in Profelis Information and Consulting Trade and Industry Limited Company SambaBox allows OS Command Injection.
This issue affects SambaBox: from 5.1 before 5.3.
AnalysisAI
Remote code execution in SambaBox 5.1-5.2 allows authenticated administrators to inject and execute arbitrary OS commands through improper input sanitization. Attackers with high-privilege access can achieve full system compromise with confidentiality, integrity, and availability impact. Reported by Turkish national CERT (TR-CERT/USOM), no CISA KEV listing or public exploit code identified at time of analysis, indicating limited observed exploitation activity.
Technical ContextAI
SambaBox is a file sharing and collaboration platform developed by Profelis Information and Consulting Trade and Industry Limited Company. The vulnerability stems from CWE-94 (Improper Control of Generation of Code), manifesting as OS command injection. The application fails to properly sanitize user-supplied input before passing it to system command execution functions, allowing attackers to break out of intended command contexts and inject arbitrary operating system commands. This occurs in the web management interface or API endpoints accessible to administrative users. The CPE identifier cpe:2.3:a:profelis_information_and_consulting_trade_and_industry_limited_company:sambabox confirms versions 5.1 and 5.2 are affected, with version 5.3 serving as the remediation baseline.
RemediationAI
Upgrade SambaBox to version 5.3 or later, which addresses the command injection vulnerability according to TR-CERT advisory at https://www.usom.gov.tr/bildirim/tr-26-0155. Organizations unable to immediately upgrade should implement compensating controls: restrict administrative interface access to trusted IP ranges via firewall rules or VPN-only access (reduces attack surface but does not eliminate insider threat risk), enable comprehensive command execution logging for administrative actions to detect exploitation attempts (detection-only control, does not prevent attacks), implement multi-factor authentication for all administrative accounts (increases attacker difficulty but does not fix underlying code injection flaw), and conduct audit of administrative accounts to remove unnecessary privileges and disable unused admin accounts (reduces number of potential attack vectors).
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Group Functionality of Pr
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in ping tool of Profel
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26945