Description
mpGabinet is vulnerable to Remote Command Execution. An authorized user with access to the application and direct access to the backend database can achieve system command execution by uploading an attachment and modifying its storage path in the database to reference an attacker-controlled remote network resource. Alternatively, it is possible to use a previously uploaded file and change its reference. When the application processes the attachment, and a user tries to open it, the referenced resource is executed by the system.
Critically, this vulnerability can be exploited by any unauthenticated attacker by chaining it with CVE-2026-40550 and CVE-2026-40551, which allows obtaining database access, and logging onto any account.

This issue affects mpGabinet version 23.12.19 and below.
Published: 2026-04-28
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

mpGabinet allows an attacker who has the ability to change the database record of an attachment’s storage path to point to an arbitrary remote resource. When a user opens the modified attachment, the application retrieves that remote resource and executes it on the server, giving the attacker the ability to run arbitrary system commands. The vulnerability is a specific instance of improper validation of external resources and, according to CWE-669, permits command or file traversal that leads to remote code execution. Although the exposure requires database access, the description notes that a single chained vulnerability (CVE‑2026‑40550 or CVE‑2026‑40551) can provide this access to an otherwise unauthenticated user, thereby widening the attack surface.

Affected Systems

The affected system is BinSoft’s mpGabinet application, specifically all releases version 23.12.19 and earlier. These releases are available from the official mpGabinet website and can be identified by their version number in the application metadata.

Risk and Exploitability

The CVSS score of 4.7 places this flaw in the medium severity range. EPSS data is currently unavailable, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known widespread exploitation yet. Nevertheless, the requirement to manipulate database entries and ingest a remote resource means the attack vector is limited to applications with write access to the attachment metadata store or to those that can obtain such access via other vulnerabilities. If an attacker can successfully chain this vulnerability with CVE‑2026‑40550 or CVE‑2026‑40551, they can achieve remote command execution and potentially compromise the entire host. The overall risk is moderate to high in environments where the mpGabinet application is exposed and database access controls are weak.

Generated by OpenCVE AI on April 28, 2026 at 19:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade mpGabinet to a version newer than 23.12.19 that removes the ability to modify attachment storage paths
  • Restrict database update permissions for the attachment reference field, or enforce application‑level access controls so only authorized service processes can change it
  • Configure the application to disallow external or remote resource references in attachment paths, enforcing a strict whitelist of local file locations or validated URLs

Generated by OpenCVE AI on April 28, 2026 at 19:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Binsoft
Binsoft mpgabinet
Vendors & Products Binsoft
Binsoft mpgabinet

Tue, 28 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description mpGabinet is vulnerable to Remote Command Execution. An authorized user with access to the application and direct access to the backend database can achieve system command execution by uploading an attachment and modifying its storage path in the database to reference an attacker-controlled remote network resource. Alternatively, it is possible to use a previously uploaded file and change its reference. When the application processes the attachment, and a user tries to open it, the referenced resource is executed by the system. Critically, this vulnerability can be exploited by any unauthenticated attacker by chaining it with CVE-2026-40550 and CVE-2026-40551, which allows obtaining database access, and logging onto any account. This issue affects mpGabinet version 23.12.19 and below.
Title Remote Code Execution in mpGabinet
Weaknesses CWE-669
References
Metrics cvssV4_0

{'score': 4.7, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H'}

Subscriptions

Binsoft Mpgabinet
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-04-28T14:16:41.296Z

Reserved: 2026-04-14T09:44:32.552Z

Link: CVE-2026-40552

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-04-28T14:16:13.637

Modified: 2026-04-28T20:20:09.767

Link: CVE-2026-40552

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:10:42Z

Weaknesses