CVE-2026-27776
Published: 27 February 2026
Summary
CVE-2026-27776 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Intra-Mart Accel Platform. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-27776, published on 2026-02-27, is an insecure deserialization vulnerability (CWE-502) in the IM-LogicDesigner module of the intra-mart Accel Platform. The issue affects systems only when the IM-LogicDesigner module is deployed.
An attacker can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no required privileges (PR:N), but it requires user interaction (UI:R) from an administrative user. By tricking such a user into importing a crafted file, the attacker can achieve arbitrary code execution, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within an unchanged security scope (S:U). The CVSS v3.1 base score is 8.8.
Vendor and advisory sources provide mitigation guidance, including patches, at https://global.intra-mart.support/hc/en-us/articles/55266898383641 and https://jvn.jp/en/jp/JVN80500630/.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9007
Vulnerability details
IM-LogicDesigner module of intra-mart Accel Platform contains insecure deserialization issue. This can be exploited only when IM-LogicDesigner is deployed on the system. Arbitrary code may be executed when some crafted file is imported by a user with the administrative privilege.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insecure deserialization enables RCE on the server when an admin imports a crafted file (T1204.002); the network attack vector on a public-facing enterprise platform directly maps to T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the insecure deserialization vulnerability by applying vendor-provided patches for the IM-LogicDesigner module.
Validates imported files in the IM-LogicDesigner module to block malicious deserialization payloads before processing.
Disables or prohibits the non-essential IM-LogicDesigner module to eliminate the vulnerable deserialization functionality.