CVE-2026-3120
Published: 04 May 2026
Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Profelis Information and Consulting Trade and Industry Limited Company SambaBox allows OS Command Injection. This issue affects SambaBox: from 5.1 before 5.3.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the code injection vulnerability by requiring timely flaw remediation through upgrading SambaBox to version 5.3 or later.
Prevents OS command injection by enforcing information input validation to detect and reject malicious code in user-supplied inputs.
Reduces exploitation risk and impact by enforcing least privilege, limiting high-privilege (PR:H) access necessary for successful command injection.
Security SummaryAI
CVE-2026-3120 is an Improper Control of Generation of Code ('Code Injection') vulnerability in SambaBox from Profelis Information and Consulting Trade and Industry Limited Company. The flaw enables OS Command Injection and affects SambaBox versions from 5.1 up to but not including 5.3. It is classified under CWE-94 and received a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Attackers can exploit this vulnerability over the network with low complexity, but it requires high privileges (PR:H), such as those held by authenticated administrative users. No user interaction is necessary, and the scope remains unchanged. Successful exploitation grants high impacts across confidentiality, integrity, and availability, allowing attackers to inject and execute arbitrary OS commands on the affected system.
The advisory published by USOM at https://www.usom.gov.tr/bildirim/tr-26-0155 provides further details on the issue. Mitigation involves upgrading to SambaBox version 5.3 or later, as versions from 5.1 before 5.3 are vulnerable.
Details
- CWE(s)