{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40552", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2026-04-14T09:44:32.552Z", "datePublished": "2026-04-28T13:13:44.914Z", "dateUpdated": "2026-04-28T14:16:41.296Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "mpGabinet", "vendor": "BinSoft", "versions": [{"lessThanOrEqual": "23.12.19", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Robert Kruczek"}, {"lang": "en", "type": "finder", "value": "Kamil Szczurowski"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "mpGabinet is vulnerable to Remote Command Execution. An authorized user with access to the application and direct access to the backend database can achieve system command execution by uploading an attachment and modifying its storage path in the database to reference an attacker-controlled remote network resource. Alternatively, it is possible to use a previously uploaded file and change its reference. When the application processes the attachment, and a user tries to open it, the referenced resource is executed by the system.<br>Critically, this vulnerability can be exploited by any unauthenticated attacker by chaining it with CVE-2026-40550 and CVE-2026-40551, which allows obtaining database access, and logging onto any account.<br><br><span style=\"background-color: rgb(255, 255, 255);\">This issue affects mpGabinet version 23.12.19 and below.</span><br>"}], "value": "mpGabinet is vulnerable to Remote Command Execution. An authorized user with access to the application and direct access to the backend database can achieve system command execution by uploading an attachment and modifying its storage path in the database to reference an attacker-controlled remote network resource. Alternatively, it is possible to use a previously uploaded file and change its reference. When the application processes the attachment, and a user tries to open it, the referenced resource is executed by the system.\nCritically, this vulnerability can be exploited by any unauthenticated attacker by chaining it with CVE-2026-40550 and CVE-2026-40551, which allows obtaining database access, and logging onto any account.\n\nThis issue affects mpGabinet version 23.12.19 and below."}], "impacts": [{"capecId": "CAPEC-253", "descriptions": [{"lang": "en", "value": "CAPEC-253: Remote Code Inclusion"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "baseScore": 4.7, "baseSeverity": "MEDIUM", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-669", "description": "CWE-669: Incorrect Resource Transfer Between Spheres", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-04-28T13:13:44.914Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://cert.pl/posts/2026/04/CVE-2026-40550/"}, {"tags": ["product"], "url": "https://www.mpgabinet.pl/"}], "source": {"discovery": "EXTERNAL"}, "tags": ["unsupported-when-assigned"], "title": "Remote Code Execution in mpGabinet", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T14:16:34.596557Z", "id": "CVE-2026-40552", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:16:41.296Z"}}]}}

{}

{"cveTags": [{"sourceIdentifier": "cvd@cert.pl", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "mpGabinet is vulnerable to Remote Command Execution. An authorized user with access to the application and direct access to the backend database can achieve system command execution by uploading an attachment and modifying its storage path in the database to reference an attacker-controlled remote network resource. Alternatively, it is possible to use a previously uploaded file and change its reference. When the application processes the attachment, and a user tries to open it, the referenced resource is executed by the system.\nCritically, this vulnerability can be exploited by any unauthenticated attacker by chaining it with CVE-2026-40550 and CVE-2026-40551, which allows obtaining database access, and logging onto any account.\n\nThis issue affects mpGabinet version 23.12.19 and below."}], "id": "CVE-2026-40552", "lastModified": "2026-04-28T14:16:13.637", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cvd@cert.pl", "type": "Secondary"}]}, "published": "2026-04-28T14:16:13.637", "references": [{"source": "cvd@cert.pl", "url": "https://cert.pl/posts/2026/04/CVE-2026-40550/"}, {"source": "cvd@cert.pl", "url": "https://www.mpgabinet.pl/"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-669"}], "source": "cvd@cert.pl", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T19:17:04.024924+00:00", "value": {"mitigation_remediation": ["Upgrade mpGabinet to a version newer than 23.12.19 that removes the ability to modify attachment storage paths", "Restrict database update permissions for the attachment reference field, or enforce application\u2011level access controls so only authorized service processes can change it", "Configure the application to disallow external or remote resource references in attachment paths, enforcing a strict whitelist of local file locations or validated URLs"], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected system is BinSoft\u2019s mpGabinet application, specifically all releases version 23.12.19 and earlier. These releases are available from the official mpGabinet website and can be identified by their version number in the application metadata.", "description_and_impact": "mpGabinet allows an attacker who has the ability to change the database record of an attachment\u2019s storage path to point to an arbitrary remote resource. When a user opens the modified attachment, the application retrieves that remote resource and executes it on the server, giving the attacker the ability to run arbitrary system commands. The vulnerability is a specific instance of improper validation of external resources and, according to CWE-669, permits command or file traversal that leads to remote code execution. Although the exposure requires database access, the description notes that a single chained vulnerability (CVE\u20112026\u201140550 or CVE\u20112026\u201140551) can provide this access to an otherwise unauthenticated user, thereby widening the attack surface.", "risk_and_exploitability": "The CVSS score of 4.7 places this flaw in the medium severity range. EPSS data is currently unavailable, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no known widespread exploitation yet. Nevertheless, the requirement to manipulate database entries and ingest a remote resource means the attack vector is limited to applications with write access to the attachment metadata store or to those that can obtain such access via other vulnerabilities. If an attacker can successfully chain this vulnerability with CVE\u20112026\u201140550 or CVE\u20112026\u201140551, they can achieve remote command execution and potentially compromise the entire host. The overall risk is moderate to high in environments where the mpGabinet application is exposed and database access controls are weak."}}}}, "created": "2026-04-28T19:30:27.366341+00:00", "updated": "2026-04-28T19:30:27.366361+00:00", "vendors": []}