Description
NewSoftOA developed by NewSoft has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server.
Published: 2026-04-21
Score: 9.3 Critical
EPSS: 1.7% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NewSoftOA, an enterprise resource planning application from NewSoft, contains an OS command injection flaw that permits an unauthenticated local attacker to execute arbitrary shell commands on the underlying server. The vulnerability arises from insufficient validation of user-supplied input, allowing attacker‑controlled strings to be injected into system calls. Successful exploitation would grant the attacker full control of the operating system, thereby compromising confidentiality, integrity, and availability of the affected system.

Affected Systems

The CNA lists only NewSoft:NewSoftOA as impacted. All installations of NewSoftOA versions earlier than 10.1.8.3 are vulnerable; no additional version granularity is specified in the CNA data. Administrators should verify their deployment version and consider any instance below 10.1.8.3 to be at risk.

Risk and Exploitability

The CVSS score of 9.3 signals a critical severity, while an EPSS score of 2 % indicates a low probability of exploitation. The vulnerability can be leveraged by an unauthenticated local attacker. The likely attack vector is inferred to require either direct physical access or compromise of a local account with sufficient privileges to launch the vulnerable service; this inference is drawn from the description but not explicitly confirmed by the CNA documentation. The vulnerability is not listed in CISA’s KEV catalog, but its high severity and low EPSS make timely patching a priority.

Generated by OpenCVE AI on June 18, 2026 at 08:54 UTC.

Remediation

Vendor Solution

Update to version 10.1.8.3 or later.

OpenCVE Recommended Actions

  • Upgrade NewSoftOA to version 10.1.8.3 or later, as released by NewSoft.
  • If a patch cannot be applied immediately, configure the application to reject or sanitize input that contains shell meta‑characters or known command patterns to reduce the risk of injection.
  • Restrict local system access to the NewSoftOA service, ensuring that only trusted accounts with the least privilege necessary can run the application.

Generated by OpenCVE AI on June 18, 2026 at 08:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Newsoft
Newsoft newsoftoa
Vendors & Products Newsoft
Newsoft newsoftoa

Tue, 21 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description NewSoftOA developed by NewSoft has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server.
Title NewSoft|NewSoftOA - OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Newsoft Newsoftoa
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-04-21T13:20:58.795Z

Reserved: 2026-04-09T10:34:42.896Z

Link: CVE-2026-5965

cve-icon Vulnrichment

Updated: 2026-04-21T13:20:54.893Z

cve-icon NVD

Status : Deferred

Published: 2026-04-21T04:16:13.443

Modified: 2026-06-17T10:59:57.670

Link: CVE-2026-5965

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T09:00:16Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')