CRITICALCVE-2026-26339Published 2026-02-19Modified 2026-02-20CNA VulnCheck

CVE-2026-26339: Hyland Alfresco Transformation Service Argument Injection RCE

Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve remote code execution through the argument injection vulnerability, which exists in the document processing functionality.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: 4.2.3
Affected Products: 2

Fix available

4.2.35.2.4

Patch commits

connect.hyland.com

Affected packages

Hyland / Alfresco Transformation Service (Enterprise)
< 4.2.3 (from 0)
Hyland / Alfresco Community (Transform Core)
< 5.2.4 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

connect.hyland.com
hyland.com
vulncheck.com

Metrics

Fix available