Vulnerabilities
Vulnerable Software
Hyland:  Security Vulnerabilities
PACSgear PACS Scan 5.2.1 contains an unauthenticated remote code execution vulnerability that allows remote attackers to read and write arbitrary files by exploiting an exposed .NET Remoting TCP service on port 22222 via PGImageExchQueue.exe without any authentication requirement. Attackers can chain the arbitrary file write primitive with DLL hijacking in PGImageExchangeQueueSvc.exe, which loads missing DLLs such as CRYPTSP.DLL from the application directory, to achieve remote code execution as NT Authority\SYSTEM upon service restart.
CVSS Score
9.3
EPSS Score
0.01
Published
2026-07-01
PACSgear MediaWriter 5.2.1 exposes a .NET Remoting TCP service on port 9000 via PacsgearMediaServerEngine.dll, registered with ObjectURIs RemoteObj and UIRemoteObj, without any authentication requirement. By exploiting the MarshalByRefObject object unmarshalling technique and implementing .NET WebClient class methods, an unauthenticated remote attacker can read and write arbitrary files on the host filesystem. The ObjectURIs are identical across all installations by default. Chaining the arbitrary file write primitive with DLL hijacking opportunities in the MediaWriter service (which runs as NT Authority\\SYSTEM and loads missing DLLs such as CRYPTBASE.DLL from the application directory) enables unauthenticated remote code execution as SYSTEM upon service restart.
CVSS Score
9.3
EPSS Score
0.01
Published
2026-07-01
Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve remote code execution through the argument injection vulnerability, which exists in the document processing functionality.
CVSS Score
9.3
EPSS Score
0.005
Published
2026-02-19
Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve both arbitrary file read and server-side request forgery through the absolute path traversal.
CVSS Score
8.8
EPSS Score
0.004
Published
2026-02-19
Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve server-side request forgery (SSRF) through the document processing functionality.
CVSS Score
6.9
EPSS Score
0.004
Published
2026-02-19
Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files.
CVSS Score
8.7
EPSS Score
0.003
Published
2026-02-19
A reflected cross-site scripting (XSS) vulnerability in Hyland Alfresco Platform 23.2.1-r96 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the parameter htmlid.
CVSS Score
6.1
EPSS Score
0.004
Published
2024-07-20
An issue was discovered in Hyland Alfresco Community Edition through 7.2.0. By inserting malicious content in the folder.get.html.ftl file, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and achieve RCE (Remote Code Execution). NOTE: this issue exists because of an incomplete fix for CVE-2020-12873.
CVSS Score
8.8
EPSS Score
0.347
Published
2023-12-11
The Nuxeo Platform is an open source content management platform for building business applications. In version 11.5.109, the `oauth2` REST API is vulnerable to Reflected Cross-Site Scripting (XSS). This XSS can be escalated to Remote Code Execution (RCE) by levering the automation API.
CVSS Score
5.4
EPSS Score
0.007
Published
2023-01-05
The Hyland Onbase Application Server releases prior to 20.3.58.1000 and OnBase releases 21.1.1.1000 through 21.1.15.1000 are vulnerable to a username enumeration vulnerability. An attacker can obtain valid users based on the response returned for invalid and valid users by sending a POST login request to the /mobilebroker/ServiceToBroker.svc/Json/Connect endpoint. This can lead to user enumeration against the underlying Active Directory integrated systems.
CVSS Score
5.3
EPSS Score
0.012
Published
2022-06-21


Contact Us

Shodan ® - All rights reserved