CVE-2026-2036
Published: 20 February 2026
Summary
CVE-2026-2036 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Gfi Archiver. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 39.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-2036 is a deserialization of untrusted data vulnerability in GFI Archiver that permits remote code execution. The flaw resides in the configuration of the MArc.Store.Remoting.exe process and stems from insufficient validation of user-supplied data, allowing an attacker to trigger deserialization that executes arbitrary code. The affected component is MArc.Store within GFI Archiver installations, and successful exploitation grants code execution in the context of the SYSTEM account.
Remote attackers can leverage the issue after bypassing the product's existing authentication controls. With the ability to supply crafted data over the network, an adversary can achieve full control of the affected system without further user interaction. The vulnerability carries a CVSS 3.0 score of 8.8 and is tracked under CWE-502.
The Zero Day Initiative advisory ZDI-26-076 addresses the issue as ZDI-CAN-27936. Exploitation probability as measured by EPSS rose from a baseline of 0.0055 to a peak of 0.0103, indicating that interest in the flaw increased after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7774
Vulnerability details
GFI Archiver MArc.Store Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GFI Archiver. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be…
more
bypassed. The specific flaw exists within the configuration of the MArc.Store.Remoting.exe process. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-27936.
- CWE(s)
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of user-supplied data before deserialization, blocking the untrusted-data flaw in MArc.Store.Remoting.exe.
Enforces access-control decisions so that the documented authentication bypass cannot be used to reach the deserialization path.
Requires integrity verification of software and data, enabling detection of unauthorized code introduced via malicious deserialization.