Which versions of PHP are affected by CVE-2026-4170?

A critical remote code execution vulnerability (CVE-2026-4170, CVSS 9.8) has been identified in Topsec TopACM 3.0 with public exploit code available and no vendor patch.

Is there a public PoC exploit available for CVE-2026-4170?

Yes, a public proof-of-concept exploit is available for CVE-2026-4170. Prioritise patching immediately. EPSS: 0.2%.

PHP CVE-2026-4170

Q: What is the CVSS score of CVE-2026-4170?

CVE-2026-4170 has a CVSS 4.0 base score of 8.9 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

EUVD-2026-12214 HIGH

OS Command Injection (CWE-78)

2026-03-15 VulDB

PHP Command Injection

8.9

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 22, 2026 - 21:37 vuln.today

cvss_changed

Severity Changed

Apr 22, 2026 - 21:37 NVD

CRITICAL HIGH

CVSS changed

Apr 22, 2026 - 21:37 NVD

9.8 (CRITICAL) 8.9 (HIGH)

PoC Detected

Mar 16, 2026 - 14:53 vuln.today

Public exploit code

EUVD ID Assigned

Mar 15, 2026 - 09:00 euvd

EUVD-2026-12214

Analysis Generated

Mar 15, 2026 - 09:00 vuln.today

CVE Published

Mar 15, 2026 - 07:02 nvd

CRITICAL 9.8

DescriptionNVD

A weakness has been identified in Topsec TopACM 3.0. Affected by this vulnerability is an unknown functionality of the file /view/systemConfig/management/nmc_sync.php of the component HTTP Request Handler. Executing a manipulation of the argument template_path can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Critical OS command injection vulnerability in Topsec TopACM 3.0's web management interface that allows unauthenticated remote attackers to execute arbitrary system commands. A public proof-of-concept exploit is available, and the vulnerability has a CVSS score of 9.8, though no active exploitation has been confirmed in CISA's KEV catalog. …

RemediationAI

Within 24 hours: Isolate all TopACM 3.0 instances from production networks or restrict network access to trusted sources only; confirm inventory of affected systems; establish incident response readiness. Within 7 days: Deploy WAF rules or intrusion prevention signatures to block exploitation attempts on the nmc_sync.php parameter; implement enhanced monitoring and logging; assess feasibility of product replacement or emergency upgrade. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-4170 vulnerability details – vuln.today

Back

PHP CVE-2026-4170

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

PHP CVE-2026-4170

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code