Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Profelis Information and Consulting Trade and Industry Limited Company SambaBox allows OS Command Injection.

This issue affects SambaBox: from 5.1 before 5.3.
Published: 2026-05-04
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Profelis Information and Consulting Trade and Industry Limited Company SambaBox contains an Improper Control of Generation of Code flaw that permits OS Command Injection. If successfully exploited, an attacker can execute arbitrary commands with the privileges of the SambaBox service, potentially compromising confidentiality, integrity, and availability of the host. The likely attack vector is remote via SambaBox’s exposed interface, although the exact path is not detailed in the description.

Affected Systems

All SambaBox installations from version 5.1 up to but not including 5.3 are impacted. The affected product is Profelis Information and Consulting Trade and Industry Limited Company SambaBox.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity risk, and while the EPSS score is not available, the vulnerability is not listed in the CISA KEV catalog. Attackers would need network access to the SambaBox component to craft a malicious payload; once they do, they can inject OS commands through the vulnerable interface. Because the flaw is present in multiple released versions, the risk persists until the affected software is updated.

Generated by OpenCVE AI on May 4, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SambaBox to version 5.3 or later, which contains the fix for the command injection flaw.
  • Configure your network firewall to block or restrict external access to the SambaBox management interface or ports exposed to untrusted users.
  • Apply additional host‑based intrusion detection rules to flag the execution of unexpected OS commands originating from SambaBox.

Generated by OpenCVE AI on May 4, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 04 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in Profelis Information and Consulting Trade and Industry Limited Company SambaBox allows OS Command Injection. This issue affects SambaBox: from 5.1 before 5.3.
Title RCE in Profelis Informatics' SambaBox
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-05-04T12:42:30.558Z

Reserved: 2026-02-24T13:05:55.590Z

Link: CVE-2026-3120

cve-icon Vulnrichment

Updated: 2026-05-04T12:42:20.954Z

cve-icon NVD

Status : Received

Published: 2026-05-04T12:16:29.393

Modified: 2026-05-04T12:16:29.393

Link: CVE-2026-3120

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T13:30:45Z

Weaknesses