Description
Improper input validation, Unrestricted upload of file with dangerous type vulnerability in Gmission Web Fax allows Remote Code Inclusion.

This issue affects Web Fax: from 3.0 before 3.1.
Published: 2026-05-21
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper input validation and unrestricted upload of files with dangerous types in Gmission Web Fax enables remote code inclusion, allowing attackers to execute arbitrary code on the server. The flaw arises from insufficient checks on uploaded file types, permitting malicious payloads to be processed by the application.

Affected Systems

Gmission Web Fax versions prior to 3.1, including 3.0 and earlier releases, are affected. The vulnerability is present in the default configuration of the application and impacts all instances without an applied patch.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity of remote code execution. Because the EPSS score is not available, the likelihood of exploitation cannot be quantified, but the lack of inclusion in the CISA KEV catalog does not diminish the potential risk. Attackers can exploit the flaw by uploading a crafted file through the web interface, triggering code execution on the server. Mitigating this risk requires timely deployment of the vendor’s patch, disabling file uploads when not needed, and enforcing strict file type validation at the web server level.

Generated by OpenCVE AI on May 21, 2026 at 10:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch for Gmission Web Fax 3.1 or later to eliminate the upload flaw.
  • If patching is not immediately possible, disable the file upload feature or restrict it to trusted users only.
  • Implement MIME type filtering and a strict file whitelist on the web server or application layer to reject disallowed file types.

Generated by OpenCVE AI on May 21, 2026 at 10:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.gmission.co.kr/fax1 cve-icon cve-icon
History

Thu, 21 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 21 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Gmission
Gmission web Fax
Vendors & Products Gmission
Gmission web Fax

Thu, 21 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Improper input validation, Unrestricted upload of file with dangerous type vulnerability in Gmission Web Fax allows Remote Code Inclusion. This issue affects Web Fax: from 3.0 before 3.1.
Title Remote Code Execution in Gmission Web FAX
Weaknesses CWE-20
CWE-434
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Gmission Web Fax
cve-icon MITRE

Status: PUBLISHED

Assigner: FSI

Published:

Updated: 2026-05-21T12:11:54.255Z

Reserved: 2026-05-21T01:49:37.905Z

Link: CVE-2026-9157

cve-icon Vulnrichment

Updated: 2026-05-21T12:11:46.628Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T09:16:30.930

Modified: 2026-05-21T15:24:25.330

Link: CVE-2026-9157

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T11:00:11Z

Weaknesses