HIGH🇵🇱 Wersja polska

CVE-2026-2036

CVSS 8.8v3.0pub. 2026-02-20upd. 2026-02-24

GFI Archiver MArc.Store Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GFI Archiver. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the configuration of the MArc.Store.Remoting.exe process. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-27936.

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Gfi Archiver

    APP
    Gfi
    15.10
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2026-2038CRITICAL9.8PL ✓ten sam produkt

GFI Archiver MArc.Core — pominięcie autoryzacji (Authentication Bypass)

CVE-2026-2039CRITICAL9.8PL ✓ten sam produkt

GFI Archiver: Pominięcie autoryzacji w MArc.Store umożliwia RCE jako SYSTEM

CVE-2024-11948CRITICAL9.8PL ✓ten sam produkt

GFI Archiver – RCE przez podatną wersję Telerik Web UI

CVE-2021-29281CRITICAL9.8ten sam produkt

File upload vulnerability in GFI Mail Archiver versions up to and including 15.1 via insecure implementation o...

CVE-2026-2037HIGH8.8ten sam produkt

GFI Archiver MArc.Core Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerabili...