PatchSiren cyber security CVE debrief
CVE-2026-5965 NewSoft CVE debrief
CVE-2026-5965 documents a critical OS command injection vulnerability in NewSoftOA, a product developed by NewSoft. The vulnerability allows unauthenticated local attackers to inject and execute arbitrary operating system commands on affected servers. The issue was published on April 21, 2026, with the record last modified on May 19, 2026. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and carries a CVSS 4.0 vector indicating network attack vector with low attack complexity, no privileges required, and high impact to confidentiality, integrity, and availability. The NVD currently lists this entry with a status of 'Deferred'. Taiwan's CERT (TWCERT) has published advisory information regarding this vulnerability. No known exploitation in ransomware campaigns has been documented, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- NewSoft
- Product
- NewSoftOA
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-21
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-04-21
- Advisory updated
- 2026-05-19
Who should care
Organizations operating NewSoftOA for office automation or document management should prioritize assessment and patching. Security teams managing Taiwanese software deployments, particularly in government and enterprise sectors where NewSoft products are commonly deployed, should monitor for vendor security updates. Incident response teams should include this CVE in threat intelligence monitoring given the critical severity and unauthenticated attack vector.
Technical summary
NewSoftOA contains an OS command injection vulnerability (CWE-78) that enables unauthenticated local attackers to inject arbitrary operating system commands for execution on the server. The vulnerability is rated CRITICAL with a CVSS 4.0 vector of AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, indicating network accessibility, low attack complexity, no required privileges or user interaction, and high impacts across confidentiality, integrity, and availability domains. The attack vector allows command execution without authentication, presenting severe risk to affected deployments. The NVD entry status is currently 'Deferred', suggesting ongoing analysis or vendor coordination. Regional advisories from Taiwan CERT provide supplementary technical context.
Defensive priority
critical
Recommended defensive actions
- Apply security patches from NewSoft when available, prioritizing systems running NewSoftOA
- Restrict network access to NewSoftOA administrative interfaces to trusted hosts only
- Implement input validation and command injection protections at the application layer
- Monitor for anomalous process execution and command-line activity on servers hosting NewSoftOA
- Review and update web application firewall rules to detect OS command injection patterns
- Conduct code review or engage vendor for security assessment of NewSoftOA components
Evidence notes
Vulnerability description sourced from official CVE record and NVD entry. CWE-78 classification and CVSS 4.0 vector confirmed via NVD source data. TWCERT references provide additional regional advisory context. Vendor identification remains under review with low confidence due to limited canonical source information.
Official resources
2026-04-21T04:16:13.443Z