{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5054", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "state": "PUBLISHED", "assignerShortName": "zdi", "dateReserved": "2026-03-27T18:05:48.551Z", "datePublished": "2026-04-11T00:14:16.658Z", "dateUpdated": "2026-04-14T03:55:46.803Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-04-11T00:14:16.658Z"}, "title": "NoMachine External Control of File Path Local Privilege Escalation Vulnerability", "descriptions": [{"lang": "en", "value": "NoMachine External Control of File Path Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the handling of command line parameters. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-28630."}], "affected": [{"vendor": "NoMachine", "product": "NoMachine", "versions": [{"version": "9.3.7", "status": "affected"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-73", "description": "CWE-73: External Control of File Name or Path", "type": "CWE"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-248/", "name": "ZDI-26-248", "tags": ["x_research-advisory"]}], "dateAssigned": "2026-03-27T18:05:48.573Z", "datePublic": "2026-03-30T19:45:42.654Z", "source": {"lang": "en", "value": "Anonymous"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-5054"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T03:55:46.803Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5054", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T16:18:00.270565Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T16:18:06.545Z"}}], "cna": {"title": "NoMachine External Control of File Path Local Privilege Escalation Vulnerability", "source": {"lang": "en", "value": "Anonymous"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "NoMachine", "product": "NoMachine", "versions": [{"status": "affected", "version": "9.3.7"}], "defaultStatus": "unknown"}], "datePublic": "2026-03-30T19:45:42.654Z", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-248/", "name": "ZDI-26-248", "tags": ["x_research-advisory"]}], "dateAssigned": "2026-03-27T18:05:48.573Z", "descriptions": [{"lang": "en", "value": "NoMachine External Control of File Path Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the handling of command line parameters. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-28630."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73: External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-04-11T00:14:16.658Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5054", "state": "PUBLISHED", "dateUpdated": "2026-04-14T03:55:46.803Z", "dateReserved": "2026-03-27T18:05:48.551Z", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "datePublished": "2026-04-11T00:14:16.658Z", "assignerShortName": "zdi"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nomachine:nomachine:*:*:*:*:*:*:*:*", "matchCriteriaId": "99ABF7D0-787B-4153-8F4F-53F5B59609B4", "versionEndExcluding": "9.4.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NoMachine External Control of File Path Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the handling of command line parameters. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-28630."}], "id": "CVE-2026-5054", "lastModified": "2026-04-15T18:42:24.013", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}, "published": "2026-04-11T01:16:17.890", "references": [{"source": "zdi-disclosures@trendmicro.com", "tags": ["Third Party Advisory"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-248/"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "zdi-disclosures@trendmicro.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "9.3.7"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "NoMachine", "source": "cna", "vendor": "NoMachine"}, "product": "nomachine", "vendor": "nomachine"}], "analysis": {"en": {"generated_at": "2026-04-11T02:27:28.207706+00:00", "value": {"mitigation_remediation": ["Apply the most recent NoMachine patch or update as released by the vendor.", "Verify that the installed NoMachine version incorporates the fix for CVE\u20112026\u20115054.", "If no patch is available, limit local users from running NoMachine with elevated privileges and monitor file operations for abnormal paths.", "Consult the ZeroDay Initiative advisory (https://www.zerodayinitiative.com/advisories/ZDI-26-248/) for additional guidance and patch release notes."], "summary": {"action": "Patch Now", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected vendor is NoMachine, product NoMachine. No specific affected version information is supplied in the CVE record, so any installation that has not applied the vendor\u2019s patch may be vulnerable.", "description_and_impact": "This vulnerability arises from insufficient validation of user\u2011supplied file paths supplied via command line parameters. An attacker with the ability to run low\u2011privileged code on the target host can craft a malicious path that the NoMachine application will use in file operations, allowing the attacker to gain elevated system privileges or execute arbitrary code in a root context. The flaw is a direct example of uncontrolled path traversal, classified under CWE\u201173, and permits a local attacker to compromise the confidentiality, integrity, and availability of the affected system. The attack does not rely on network\u2011level access and requires local code execution as a prerequisite.", "risk_and_exploitability": "The CVSS score of 7.8 indicates a high severity vulnerability. EPSS information is unavailable, and the vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog, suggesting limited or unknown exploitation in the wild. The likely attack vector is local, with the attacker needing to already execute non\u2011privileged code on the host. If such code execution is possible, the privilege escalation path is straightforward, making this a serious threat for any system where local users could trigger the vulnerable command line logic."}}}}, "created": "2026-04-13T12:42:20.240432+00:00", "updated": "2026-04-13T12:57:06.740839+00:00", "vendors": ["nomachine", "nomachine$PRODUCT$nomachine"]}