Description
Deserialization of untrusted data in Nuance PowerScribe allows an unauthorized attacker to execute code over a network.
Published: 2026-06-09
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Deserialization of untrusted data in Nuance PowerScribe allows an unauthorized attacker to execute code over a network, granting full control over the affected system and compromising confidentiality, integrity, and availability.

Affected Systems

Microsoft Nuance PowerScribe 360 versions 4.0 through 4.0.9 and Microsoft Nuance PowerScribe One versions 2019.1 to 2019.9, as well as the 2023.1 SP2 Patch 11 and 2023.1 SP3 Patch 6 releases.

Risk and Exploitability

The flaw carries a CVSS score of 9.8, indicating a critical risk. EPSS data is not available, so the likelihood cannot be quantified, and the vulnerability is not yet listed in the CISA KEV catalog. Based on the description, the attack vector is likely remote over the network by sending a crafted serialized payload to the vulnerable application. No authentication requirements are explicitly mentioned, suggesting that an unauthenticated attacker with network access could exploit the weakness and achieve remote code execution.

Generated by OpenCVE AI on June 9, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft patch that addresses CVE-2026-26142, as documented in the Microsoft security update guide.
  • Review any custom deserialization code to ensure it only processes signed or trusted data; disable or remove deserialization of untrusted input where possible.
  • Limit network exposure of PowerScribe servers by configuring firewalls or VPNs to restrict inbound connections to trusted administrative networks.

Generated by OpenCVE AI on June 9, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft powerscribe One Version 2023.1 Sp2
Microsoft powerscribe One Version 2023.1 Sp3
Vendors & Products Microsoft powerscribe One Version 2023.1 Sp2
Microsoft powerscribe One Version 2023.1 Sp3

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Deserialization of untrusted data in Nuance PowerScribe allows an unauthorized attacker to execute code over a network.
Title Nuance PowerScribe Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft nuance Powerscribe 360
Microsoft nuance Powerscribe One
Weaknesses CWE-502
CPEs cpe:2.3:a:microsoft:nuance_powerscribe_360:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:nuance_powerscribe_one:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft nuance Powerscribe 360
Microsoft nuance Powerscribe One
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Nuance Powerscribe 360 Nuance Powerscribe One Powerscribe One Version 2023.1 Sp2 Powerscribe One Version 2023.1 Sp3
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T21:50:32.088Z

Reserved: 2026-02-11T16:24:51.134Z

Link: CVE-2026-26142

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:03.087

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-26142

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:20:09Z

Weaknesses