This vulnerability arises from insufficient validation of user‑supplied file paths supplied via command line parameters. An attacker with the ability to run low‑privileged code on the target host can craft a malicious path that the NoMachine application will use in file operations, allowing the attacker to gain elevated system privileges or execute arbitrary code in a root context. The flaw is a direct example of uncontrolled path traversal, classified under CWE‑73, and permits a local attacker to compromise the confidentiality, integrity, and availability of the affected system. The attack does not rely on network‑level access and requires local code execution as a prerequisite.

The affected vendor is NoMachine, product NoMachine. No specific affected version information is supplied in the CVE record, so any installation that has not applied the vendor’s patch may be vulnerable.

The CVSS score of 7.8 indicates a high severity vulnerability. EPSS information is unavailable, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, suggesting limited or unknown exploitation in the wild. The likely attack vector is local, with the attacker needing to already execute non‑privileged code on the host. If such code execution is possible, the privilege escalation path is straightforward, making this a serious threat for any system where local users could trigger the vulnerable command line logic.