Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (CIRCL) · only source for this CVE.
CVSS VectorVendor: CIRCL
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Nomachine allows Argument Injection.This issue affects Nomachine: before 9.5.7, before 8.23.2.
AnalysisAI
Argument injection in NoMachine remote desktop software before versions 9.5.7 and 8.23.2 allows a local authenticated user to inject command-line arguments and achieve high-impact compromise of confidentiality, integrity, and availability on the host. The flaw is tracked as CWE-88 (Improper Neutralization of Argument Delimiters), reported by CIRCL, and at the time of analysis there is no public exploit identified.
Technical ContextAI
NoMachine is a commercial remote desktop and NX-protocol-based remote access suite that ships privileged helper components on Windows, Linux, and macOS hosts to broker sessions, manage displays, and execute system operations on behalf of users. CWE-88 (Argument Injection) covers cases where a process builds a child command line by concatenating user-controlled input without separating it from the executable's option parser, so values that contain leading hyphens or special delimiters are interpreted as additional flags rather than data. Per the affected CPE cpe:2.3:a:nomachine:nomachine, the weakness sits in NoMachine itself rather than a bundled third-party library, indicating one of NoMachine's own privileged wrappers fails to neutralize argument delimiters before invoking an underlying binary.
RemediationAI
Upgrade NoMachine to 9.5.7 or later on the 9.x branch, or to 8.23.2 or later on the 8.x branch, per the vendor advisories at https://kb.nomachine.com/SU05X00274 and https://kb.nomachine.com/SU05X00275; these are the only confirmed fixes. Until patching is complete, restrict interactive and remote-shell logon on NoMachine hosts to trusted administrators (the vulnerability requires local low-privileged access), remove non-essential local accounts, and audit setuid/privileged NoMachine helpers and scheduled tasks for invocation by unprivileged users, accepting that these controls reduce who can reach the vulnerable code path but do not eliminate the bug. Monitor process creation events for NoMachine binaries spawning child processes with unexpected argument flags as a detection compensating control, recognizing this will not prevent exploitation.
An unspecified server utility in NoMachine before 5.3.10 on Mac OS X and Linux allows authenticated users to gain privil
An arbitrary file overwrite vulnerability in NoMachine Free Edition and Enterprise Client for macOS before v8.8.1 allows
NoMachine before 5.3.27 and 6.x before 6.3.6 allows attackers to gain privileges via a Trojan horse wintab32.dll file lo
An uninitialised stack variable in the nxfuse component that is part of the Open Source DokanFS library shipped with NoM
Incorrect permissions for the folder C:\ProgramData\NoMachine\var\uninstall of Nomachine v7.9.2 allows attackers to perf
A vulnerability in NoMachine App for Android 5.0.63 and earlier allows attackers to alter environment variables via unsp
Local privilege escalation in NoMachine allows authenticated low-privileged attackers to execute arbitrary code as root
Local privilege escalation in NoMachine Device Server allows authenticated low-privileged attackers to execute arbitrary
NoMachine Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), thi
Arbitrary file deletion in NoMachine through environment variable path manipulation allows authenticated local attackers
The nxfs.sys driver in the DokanFS library 0.6.0 in NoMachine before 6.4.6 on Windows 10 allows local users to cause a d
NoMachine Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), thi
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36060
GHSA-pph3-cx78-q9jc