{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5053", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "state": "PUBLISHED", "assignerShortName": "zdi", "dateReserved": "2026-03-27T18:05:32.535Z", "datePublished": "2026-04-11T00:14:07.656Z", "dateUpdated": "2026-04-13T16:18:43.447Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-04-11T00:14:07.656Z"}, "title": "NoMachine External Control of File Path Arbitrary File Deletion Vulnerability", "descriptions": [{"lang": "en", "value": "NoMachine External Control of File Path Arbitrary File Deletion Vulnerability. This vulnerability allows local attackers to delete arbitrary files on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the handling of environment variables. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of root. Was ZDI-CAN-28644."}], "affected": [{"vendor": "NoMachine", "product": "NoMachine", "versions": [{"version": "9.3.7", "status": "affected"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-73", "description": "CWE-73: External Control of File Name or Path", "type": "CWE"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-247/", "name": "ZDI-26-247", "tags": ["x_research-advisory"]}], "dateAssigned": "2026-03-27T18:05:32.769Z", "datePublic": "2026-03-30T19:45:28.668Z", "source": {"lang": "en", "value": "Anonymous"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 7.1, "baseSeverity": "HIGH"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T16:18:35.302908Z", "id": "CVE-2026-5053", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T16:18:43.447Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5053", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T16:18:35.302908Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T16:18:39.918Z"}}], "cna": {"title": "NoMachine External Control of File Path Arbitrary File Deletion Vulnerability", "source": {"lang": "en", "value": "Anonymous"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"}}], "affected": [{"vendor": "NoMachine", "product": "NoMachine", "versions": [{"status": "affected", "version": "9.3.7"}], "defaultStatus": "unknown"}], "datePublic": "2026-03-30T19:45:28.668Z", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-247/", "name": "ZDI-26-247", "tags": ["x_research-advisory"]}], "dateAssigned": "2026-03-27T18:05:32.769Z", "descriptions": [{"lang": "en", "value": "NoMachine External Control of File Path Arbitrary File Deletion Vulnerability. This vulnerability allows local attackers to delete arbitrary files on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the handling of environment variables. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of root. Was ZDI-CAN-28644."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73: External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-04-11T00:14:07.656Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5053", "state": "PUBLISHED", "dateUpdated": "2026-04-13T16:18:43.447Z", "dateReserved": "2026-03-27T18:05:32.535Z", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "datePublished": "2026-04-11T00:14:07.656Z", "assignerShortName": "zdi"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nomachine:nomachine:*:*:*:*:*:*:*:*", "matchCriteriaId": "99ABF7D0-787B-4153-8F4F-53F5B59609B4", "versionEndExcluding": "9.4.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NoMachine External Control of File Path Arbitrary File Deletion Vulnerability. This vulnerability allows local attackers to delete arbitrary files on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the handling of environment variables. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of root. Was ZDI-CAN-28644."}], "id": "CVE-2026-5053", "lastModified": "2026-04-15T18:43:05.060", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}, "published": "2026-04-11T01:16:17.757", "references": [{"source": "zdi-disclosures@trendmicro.com", "tags": ["Third Party Advisory"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-247/"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "zdi-disclosures@trendmicro.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "9.3.7"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "NoMachine", "source": "cna", "vendor": "NoMachine"}, "product": "nomachine", "vendor": "nomachine"}], "analysis": {"en": {"generated_at": "2026-04-11T02:28:06.936989+00:00", "value": {"mitigation_remediation": ["If a security update or patch is available from NoMachine, apply it immediately.", "If a patch is not yet released, restrict or monitor environment variables used by NoMachine to prevent path manipulation.", "Deploy least privilege principles to limit access of applications that can modify environment variables.", "Regularly check NoMachine\u2019s advisories and keep installations updated."], "summary": {"action": "Patch Immediately", "impact": "Arbitrary file deletion"}, "threat_synthesis": {"affected_systems": "All versions of NoMachine software are potentially affected as no specific affected versions were disclosed. The vulnerability applies to the NoMachine product, used for remote desktop access.", "description_and_impact": "This vulnerability allows local attackers to delete arbitrary files on NoMachine installations. The flaw lies in the handling of environment variables, where user-supplied paths are not properly validated before file operations. An attacker must first gain low\u2011privileged code execution on the target system to exploit the flaw, after which they can delete files with the privileges of that session, potentially including root\u2011level files.", "risk_and_exploitability": "The CVSS base score is 7.1, indicating high severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw requires low\u2011privileged code execution, the attack is primarily local. An attacker who manages to execute code can delete files with the same privileges, enabling disruption or further privilege escalation. The lack of a public exploit reduces immediate threat, but organizations should still treat it as a high\u2011risk local vulnerability."}}}}, "created": "2026-04-13T12:42:21.253639+00:00", "updated": "2026-04-13T12:57:07.866910+00:00", "vendors": ["nomachine", "nomachine$PRODUCT$nomachine"]}