Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
Hyland Alfresco Transformation Service: Unauthenticated Remote Code Execution
CVE-2026-26339
Summary
An attacker can execute malicious code on the server without needing a password. This can happen when processing certain documents. Update the software to the latest version to fix the issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| hyland | alfresco_transform_service | <= 4.2.3 | – |
| hyland | alfresco_transform_core | <= 5.2.4 | – |
Original title
Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve remote code execution through the argument injection vulnerability, which exists in the document processing functi...
Original description
Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve remote code execution through the argument injection vulnerability, which exists in the document processing functionality.
nvd CVSS3.1
9.8
nvd CVSS4.0
9.3
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026