Description
An issue in Pivotal CRM v.6.6.04.08 allows a remote attacker to execute arbitrary code via the Pivotal.Core.Common.dll and Pivotal.Engine.Client.Services.Conversion.dll components.
Published: 2026-06-23
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Pivotal CRM 6.6.04.08 allows a remote attacker to execute arbitrary code by exploiting the vulnerable Pivotal.Core.Common.dll and Pivotal.Engine.Client.Services.Conversion.dll components. The vulnerability reflects an insecure deserialization weakness (CWE‑502) that permits crafted data to trigger arbitrary code execution on the host system.

Affected Systems

Pivotal CRM version 6.6.04.08 is affected. No other versions are currently known to be impacted.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity vulnerability. EPSS information is not available, and the flaw is not listed in the CISA KEV catalog, suggesting limited active exploitation. Nevertheless, the remote code execution capability poses a significant risk; a remote attacker who can send crafted inputs can gain full control over the application host, compromising confidentiality, integrity, and availability. The likely attack vector is remote data input triggering insecure deserialization of untrusted data.

Generated by OpenCVE AI on June 24, 2026 at 00:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch that updates the Pivotal.Core.Common.dll and Pivotal.Engine.Client.Services.Conversion.dll components as documented in the support article.
  • Upgrade to a newer release of Pivotal CRM that includes the fixed DLLs.
  • Disable or restrict deserialization of untrusted data by configuring application settings or applying runtime filters and enforce strict input validation to ensure only trusted data is processed.

Generated by OpenCVE AI on June 24, 2026 at 00:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Vulnerable DLLs in Pivotal CRM 6.6.04.08

Tue, 23 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Vulnerable DLLs in Pivotal CRM 6.6.04.08

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-502
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description An issue in Pivotal CRM v.6.6.04.08 allows a remote attacker to execute arbitrary code via the Pivotal.Core.Common.dll and Pivotal.Engine.Client.Services.Conversion.dll components.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-23T20:42:00.906Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-39253

cve-icon Vulnrichment

Updated: 2026-06-23T20:38:33.214Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T00:15:09Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data