Skip to main content

Newsoftoa CVE-2026-5965

| EUVDEUVD-2026-24054 CRITICAL
OS Command Injection (CWE-78)
2026-04-21 twcert
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

9
Patch released
Apr 21, 2026 - 16:20 nvd
Patch available
Patch available
Apr 21, 2026 - 05:01 EUVD
Analysis Updated
Apr 21, 2026 - 04:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 21, 2026 - 04:22 vuln.today
cvss_changed
CVSS changed
Apr 21, 2026 - 04:22 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
Apr 21, 2026 - 04:10 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 04:00 euvd
EUVD-2026-24054
Analysis Generated
Apr 21, 2026 - 04:00 vuln.today
CVE Published
Apr 21, 2026 - 03:32 nvd
CRITICAL 9.3

DescriptionCVE.org

NewSoftOA developed by NewSoft has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server.

AnalysisAI

OS command injection in NewSoft NewSoftOA allows remote unauthenticated attackers to execute arbitrary system commands on the server. CVSS 9.3 (Critical) with network attack vector and no authentication required. The description contains a contradiction - it states 'local attackers' while CVSS vector indicates AV:N (network-accessible). Based on CVSS vector, this is remotely exploitable without authentication. No CISA KEV listing or public exploit code identified at time of analysis, but network accessibility and lack of auth barriers make this a high-priority remediation target for organizations running NewSoftOA.

Technical ContextAI

NewSoftOA is an office automation system developed by NewSoft. The vulnerability is a classic OS command injection flaw (CWE-78), where user-supplied input is passed unsanitized to system command execution functions (such as system(), exec(), popen(), or similar APIs). The CVSS 4.0 vector shows network attack surface (AV:N) with low complexity (AC:L) and no privileges required (PR:N), indicating the vulnerable endpoint is exposed to network requests without authentication. The affected product CPE (cpe:2.3:a:newsoft:newsoftoa) does not specify version constraints, suggesting potentially all versions may be vulnerable pending vendor clarification. Command injection vulnerabilities allow attackers to break out of intended command parameters and execute arbitrary operating system commands with the privileges of the web application process.

RemediationAI

Contact NewSoft Corporation immediately for patch availability and upgrade to the fixed version per vendor guidance published at Taiwan CERT advisories (https://www.twcert.org.tw/tw/cp-132-10856-4979f-1.html or https://www.twcert.org.tw/en/cp-139-10857-c46f7-2.html). No specific patched version number is confirmed in available NVD data at time of analysis - consult vendor bulletin directly. As interim mitigation if patch unavailable, restrict network access to NewSoftOA to trusted IP ranges only via firewall rules or reverse proxy ACLs, reducing attack surface from internet-wide (AV:N) to controlled networks. Implement web application firewall (WAF) rules to detect and block command injection patterns (shell metacharacters like semicolons, pipes, backticks in user input), though this is bypassable and not a substitute for patching. Disable or remove any administrative interfaces exposed to untrusted networks. Run the application with least-privilege service accounts to limit impact of successful command execution. Monitor system logs for unexpected process execution from web server parent processes. These compensating controls reduce but do not eliminate risk.

Share

CVE-2026-5965 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy