Cyber Posture

CVE-2026-5965

Critical

Published: 21 April 2026

Published
21 April 2026
Modified
21 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0866 92.5th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

Security Summary

CVE-2026-5965 is an OS Command Injection vulnerability (CWE-78) affecting NewSoftOA, software developed by NewSoft. Published on 2026-04-21T04:16:13.443, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue enables unauthenticated local attackers to inject arbitrary OS commands and execute them on the server.

Unauthenticated local attackers can exploit this vulnerability to inject and execute arbitrary operating system commands on the affected server. Successful exploitation grants high-impact access, compromising confidentiality, integrity, and availability as reflected in the CVSS metrics.

Mitigation details are available in advisories published by TWCERT/CC, accessible at https://www.twcert.org.tw/en/cp-139-10857-c46f7-2.html and https://www.twcert.org.tw/tw/cp-132-10856-4979f-1.html.

Details

CWE(s)
CWE-78

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

OS command injection vulnerability in public-facing software enables unauthenticated remote exploitation (T1190) and arbitrary OS command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References