CVE-2026-5965
Published: 21 April 2026
Summary
CVE-2026-5965 is a critical-severity OS Command Injection (CWE-78) vulnerability in Org (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
NewSoftOA software developed by NewSoft contains an OS command injection vulnerability tracked as CVE-2026-5965. The flaw, classified under CWE-78, permits injection of arbitrary operating system commands that are then executed on the server. It carries a CVSS 4.0 score of 9.3 with a network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability.
Unauthenticated local attackers can exploit the issue to run arbitrary commands on the affected server. Successful exploitation grants full control over the system, enabling actions such as data exfiltration, persistence, or further lateral movement within the environment.
Advisories published by Taiwan's CERT at the referenced URLs provide details on the vulnerability and recommended remediation steps for NewSoftOA deployments. The EPSS score has remained stable at 0.1083 with no observed increase since disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24054
Vulnerability details
NewSoftOA developed by NewSoft has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection vulnerability in public-facing software enables unauthenticated remote exploitation (T1190) and arbitrary OS command execution (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to block OS command injection strings before they reach the shell.
Mandates prompt identification and remediation of the NewSoftOA command-injection flaw (CWE-78) via patching or configuration changes.
Enforces access-control decisions that would deny unauthenticated local users the ability to invoke the vulnerable command-execution path.