Description
PowerDocu contains a Windows GUI executable to perform technical documentations. Prior to 2.4.0, PowerDocu contains a critical security vulnerability in how it parses JSON files within Flow or App packages. The application blindly trusts the $type property in JSON files, allowing an attacker to instantiate arbitrary .NET objects and execute code. This vulnerability is fixed in 2.4.0.
Published: 2026-02-09
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

PowerDocu, a Windows GUI application for technical documentation, parses JSON files contained in Flow or App packages. The application blindly trusts the $type property in these JSON files, enabling an attacker to instantiate arbitrary .NET objects and execute code. This flaw is a classic example of insecure deserialization (CWE‑502) and can lead to arbitrary code execution on the host system.

Affected Systems

The vulnerability affects all installations of PowerDocu prior to version 2.4.0. No specific sub‑versions are listed, so any release earlier than 2.4.0 is considered vulnerable.

Risk and Exploitability

The CVSS score of 7.8 indicates high impact, while the EPSS score of less than 1 % suggests exploitation is currently unlikely. Because the flaw is triggered when the application processes a malicious Flow or App package, the attack vector is likely local or remote depending on how the file is introduced. No report of active exploitation is in KEV catalog, but the high severity warrants prompt attention. The main prerequisite for exploitation is the ability to supply a crafted JSON file that the application will parse.

Generated by OpenCVE AI on April 17, 2026 at 21:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to PowerDocu version 2.4.0 or later, which removes the insecure deserialization path.
  • If upgrading is impossible, deny or restrict access to Flow and App packages so that untrusted JSON files are not processed.
  • Implement custom validation or a whitelist for the $type property during JSON deserialization to prevent instantiation of arbitrary .NET objects.

Generated by OpenCVE AI on April 17, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:modery:powerdocu:*:*:*:*:*:*:*:*

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Modery
Modery powerdocu
Vendors & Products Modery
Modery powerdocu

Mon, 09 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Description PowerDocu contains a Windows GUI executable to perform technical documentations. Prior to 2.4.0, PowerDocu contains a critical security vulnerability in how it parses JSON files within Flow or App packages. The application blindly trusts the $type property in JSON files, allowing an attacker to instantiate arbitrary .NET objects and execute code. This vulnerability is fixed in 2.4.0.
Title PowerDocu Affected by Remote Code Execution via Insecure Deserialization
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Modery Powerdocu
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-11T21:22:45.286Z

Reserved: 2026-02-09T16:22:17.785Z

Link: CVE-2026-25925

cve-icon Vulnrichment

Updated: 2026-02-11T21:22:42.755Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T22:16:04.607

Modified: 2026-02-28T00:13:57.360

Link: CVE-2026-25925

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:15:27Z

Weaknesses