Cyber Resilience

CVE-2026-5965

CriticalRCE

Published: 21 April 2026

Published
21 April 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0174 74.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-5965 is a critical-severity OS Command Injection (CWE-78) vulnerability in Org (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

NewSoftOA software developed by NewSoft contains an OS command injection vulnerability tracked as CVE-2026-5965. The flaw, classified under CWE-78, permits injection of arbitrary operating system commands that are then executed on the server. It carries a CVSS 4.0 score of 9.3 with a network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability.

Unauthenticated local attackers can exploit the issue to run arbitrary commands on the affected server. Successful exploitation grants full control over the system, enabling actions such as data exfiltration, persistence, or further lateral movement within the environment.

Advisories published by Taiwan's CERT at the referenced URLs provide details on the vulnerability and recommended remediation steps for NewSoftOA deployments. The EPSS score has remained stable at 0.1083 with no observed increase since disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

NewSoftOA developed by NewSoft has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

OS command injection vulnerability in public-facing software enables unauthenticated remote exploitation (T1190) and arbitrary OS command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28470Shared CWE-78
CVE-2025-69269Shared CWE-78
CVE-2025-24971Shared CWE-78
CVE-2026-22553Shared CWE-78
CVE-2026-22901Shared CWE-78
CVE-2026-1345Shared CWE-78
CVE-2026-6349Shared CWE-78
CVE-2025-9588Shared CWE-78
CVE-2026-24689Shared CWE-78
CVE-2025-0457Shared CWE-78

Affected Assets

Org
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to block OS command injection strings before they reach the shell.

prevent

Mandates prompt identification and remediation of the NewSoftOA command-injection flaw (CWE-78) via patching or configuration changes.

prevent

Enforces access-control decisions that would deny unauthenticated local users the ability to invoke the vulnerable command-execution path.

References