Skip to main content

SambaBox CVE-2026-3120

| EUVDEUVD-2026-26945 HIGH
Code Injection (CWE-94)
2026-05-04 TR-CERT
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Patch available
May 04, 2026 - 14:16 EUVD
Analysis Generated
May 04, 2026 - 12:30 vuln.today
Patch released
May 04, 2026 - 12:16 nvd
Patch available
EUVD ID Assigned
May 04, 2026 - 12:15 euvd
EUVD-2026-26945
Analysis Generated
May 04, 2026 - 12:15 vuln.today
CVE Published
May 04, 2026 - 11:53 nvd
HIGH 7.2

DescriptionCVE.org

Improper Control of Generation of Code ('Code Injection') vulnerability in Profelis Information and Consulting Trade and Industry Limited Company SambaBox allows OS Command Injection.

This issue affects SambaBox: from 5.1 before 5.3.

AnalysisAI

Remote code execution in SambaBox 5.1-5.2 allows authenticated administrators to inject and execute arbitrary OS commands through improper input sanitization. Attackers with high-privilege access can achieve full system compromise with confidentiality, integrity, and availability impact. Reported by Turkish national CERT (TR-CERT/USOM), no CISA KEV listing or public exploit code identified at time of analysis, indicating limited observed exploitation activity.

Technical ContextAI

SambaBox is a file sharing and collaboration platform developed by Profelis Information and Consulting Trade and Industry Limited Company. The vulnerability stems from CWE-94 (Improper Control of Generation of Code), manifesting as OS command injection. The application fails to properly sanitize user-supplied input before passing it to system command execution functions, allowing attackers to break out of intended command contexts and inject arbitrary operating system commands. This occurs in the web management interface or API endpoints accessible to administrative users. The CPE identifier cpe:2.3:a:profelis_information_and_consulting_trade_and_industry_limited_company:sambabox confirms versions 5.1 and 5.2 are affected, with version 5.3 serving as the remediation baseline.

RemediationAI

Upgrade SambaBox to version 5.3 or later, which addresses the command injection vulnerability according to TR-CERT advisory at https://www.usom.gov.tr/bildirim/tr-26-0155. Organizations unable to immediately upgrade should implement compensating controls: restrict administrative interface access to trusted IP ranges via firewall rules or VPN-only access (reduces attack surface but does not eliminate insider threat risk), enable comprehensive command execution logging for administrative actions to detect exploitation attempts (detection-only control, does not prevent attacks), implement multi-factor authentication for all administrative accounts (increases attacker difficulty but does not fix underlying code injection flaw), and conduct audit of administrative accounts to remove unnecessary privileges and disable unused admin accounts (reduces number of potential attack vectors).

Share

CVE-2026-3120 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy