Skip to main content

Gmission Web Fax CVE-2026-9157

| EUVDEUVD-2026-31244 HIGH
Improper Input Validation (CWE-20)
2026-05-21 FSI GHSA-w95q-h4rm-mxfm
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 21, 2026 - 09:30 vuln.today
CVSS changed
May 21, 2026 - 09:22 NVD
8.4 (HIGH) 8.6 (HIGH)
Patch available
May 21, 2026 - 09:01 EUVD

DescriptionCVE.org

Improper input validation, Unrestricted upload of file with dangerous type vulnerability in Gmission Web Fax allows Remote Code Inclusion.

This issue affects Web Fax: from 3.0 before 3.1.

AnalysisAI

Unrestricted file upload in Gmission Web Fax versions 3.0 up to (but not including) 3.1 allows attackers to upload files of dangerous types and trigger remote code inclusion, leading to full confidentiality, integrity, and availability impact on the host. The flaw was reported by FSI and a vendor patch is available, though no public exploit code has been identified at time of analysis. Note that the CVSS 4.0 vector advertises a local attack vector (AV:L) which conflicts with the description's 'Remote Code Inclusion' wording - this discrepancy should be verified.

Technical ContextAI

Web Fax is a Korean fax-over-web product from Gmission (gmission.co.kr) used to send and receive faxes through a web interface. The root cause is classified under CWE-20 (Improper Input Validation) combined with an unrestricted upload of files with dangerous types - the upload handler fails to validate file content/extension before persisting the file in a server-reachable location, enabling 'Remote Code Inclusion' where attacker-supplied code is included/executed by the application. The single CPE cpe:2.3:a:gmission:web_fax:*:*:*:*:*:*:*:* indicates the entire affected product line shares the same vulnerable upload handler.

RemediationAI

Upgrade to Gmission Web Fax 3.1 or later, which is the vendor-released patched version per the affected-version range (3.0 <3.1) and the 'Patch: Available from vendor' indicator; refer to the vendor product page at https://www.gmission.co.kr/fax1 for download and release notes. If immediate patching is not possible, restrict access to the Web Fax upload endpoints to trusted management networks via firewall or reverse-proxy ACLs, disable or remove the file-upload feature in the application configuration if it is not business-critical (this will break inbound fax document handling), and add a web-server-level filter or WAF rule blocking uploads of executable extensions (.php, .jsp, .asp, .aspx, .exe, .sh) to the upload directory - note that extension-only filters can be bypassed via content-type or double-extension tricks, so they are interim, not authoritative. Ensure the upload directory is not server-executable as a hardening measure that mitigates the 'code inclusion' step even if a malicious file lands.

Share

CVE-2026-9157 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy