Platform
php
Component
newsoft-oa
Fixed in
10.1.8.3
CVE-2026-5965 describes a critical Command Injection vulnerability discovered in NewSoftOA, a document management system. This flaw allows unauthenticated local attackers to execute arbitrary operating system commands on the server, potentially leading to complete system takeover. The vulnerability affects versions from 0.0.0 through 10.1.8.3, and a patch is available in version 10.1.8.3.
The impact of this Command Injection vulnerability is severe. An attacker with local access to the NewSoftOA server can leverage this flaw to execute arbitrary commands with the privileges of the web server user. This could allow them to read sensitive data, modify system files, install malware, or even gain persistent access to the system. The ability to execute arbitrary commands effectively grants the attacker complete control over the affected server. Given the document management nature of NewSoftOA, data at risk includes sensitive documents, user credentials, and potentially financial information. Lateral movement within the network is also possible if the server has access to other systems.
CVE-2026-5965 was publicly disclosed on 2026-04-21. The vulnerability's ease of exploitation, combined with the critical CVSS score of 9.8, suggests a high probability of exploitation. No public proof-of-concept (PoC) code has been released as of this writing, but the nature of Command Injection vulnerabilities makes it likely that one will emerge. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
8.66% (92% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5965 is to immediately upgrade NewSoftOA to version 10.1.8.3 or later. If upgrading is not immediately feasible, consider restricting local access to the server to only authorized personnel. Implement strict file system permissions to limit the potential damage from command execution. While a direct WAF rule is unlikely to be effective against this type of vulnerability, monitoring for unusual process execution patterns on the server can provide early detection. After upgrading, confirm the vulnerability is resolved by attempting a command injection payload in a controlled environment and verifying that it is properly sanitized.
Update NewSoftOA to version 10.1.8.3 or later to mitigate the OS Command Injection (OS Command Injection) vulnerability. Check the official NewSoft documentation for detailed instructions on how to update the software. Implement additional security controls, such as input validation and privilege restriction, to reduce the risk of exploitation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5965 is a critical vulnerability in NewSoftOA allowing unauthenticated local attackers to execute OS commands. It affects versions 0.0.0–10.1.8.3, potentially leading to full system compromise.
If you are using NewSoftOA versions 0.0.0 through 10.1.8.3, you are potentially affected by this vulnerability. Immediate action is required.
Upgrade NewSoftOA to version 10.1.8.3 or later to remediate the vulnerability. If upgrading is not possible, restrict local access and implement strict file system permissions.
While no public exploits are currently known, the high CVSS score and ease of exploitation suggest a high probability of exploitation. Continuous monitoring is recommended.
Refer to the NewSoftOA official website or security advisory page for the latest information and updates regarding CVE-2026-5965.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.