Skip to main content

Alfresco Transform Core

3 CVEs product

Monthly

CVE-2026-26339 CRITICAL Act Now

Remote code execution in Hyland's Alfresco Transform Service (and the related Alfresco Transform Core component) lets unauthenticated network attackers inject crafted arguments into the document-processing pipeline to run arbitrary commands on the transformation host. Any exposed Alfresco deployment relying on these transform components is affected, with no login required and full compromise of confidentiality, integrity and availability. No public exploit has been identified at time of analysis, and the EPSS probability is currently low (0.22%, 44th percentile).

RCE Alfresco Transform Core Alfresco Transform Service SSRF
NVD
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-26338 MEDIUM This Month

SSRF in Hyland Alfresco Transformation Service via document processing.

SSRF Alfresco Transform Core Alfresco Transform Service
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-26337 HIGH This Week

Arbitrary file read and server-side request forgery in Hyland Alfresco Transformation Service (and the underlying Alfresco Transform Core, including 5.3.0-alpha1) allow unauthenticated remote attackers to read arbitrary files and coerce the server into making outbound requests via absolute path traversal. Hyland has published a coordinated security advisory (CVE-2026-26337/26338/26339). No public exploit has been identified at time of analysis and the EPSS probability is low (0.12%), but the network-facing, unauthenticated nature makes this a meaningful exposure for internet-reachable transform components.

SSRF Path Traversal Alfresco Transform Core Alfresco Transform Service
NVD
CVSS 4.0
8.8
EPSS
0.1%
EPSS 0% CVSS 9.3
CRITICAL Act Now

Remote code execution in Hyland's Alfresco Transform Service (and the related Alfresco Transform Core component) lets unauthenticated network attackers inject crafted arguments into the document-processing pipeline to run arbitrary commands on the transformation host. Any exposed Alfresco deployment relying on these transform components is affected, with no login required and full compromise of confidentiality, integrity and availability. No public exploit has been identified at time of analysis, and the EPSS probability is currently low (0.22%, 44th percentile).

RCE Alfresco Transform Core Alfresco Transform Service +1
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

SSRF in Hyland Alfresco Transformation Service via document processing.

SSRF Alfresco Transform Core Alfresco Transform Service
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Arbitrary file read and server-side request forgery in Hyland Alfresco Transformation Service (and the underlying Alfresco Transform Core, including 5.3.0-alpha1) allow unauthenticated remote attackers to read arbitrary files and coerce the server into making outbound requests via absolute path traversal. Hyland has published a coordinated security advisory (CVE-2026-26337/26338/26339). No public exploit has been identified at time of analysis and the EPSS probability is low (0.12%), but the network-facing, unauthenticated nature makes this a meaningful exposure for internet-reachable transform components.

SSRF Path Traversal Alfresco Transform Core +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy