CVE-2026-40552

Remote Code Execution in mpGabinet

Assigner: CERT-PL
Reserved: 14.04.2026 Published: 28.04.2026 Updated: 28.04.2026

mpGabinet is vulnerable to Remote Command Execution. An authorized user with access to the application and direct access to the backend database can achieve system command execution by uploading an attachment and modifying its storage path in the database to reference an attacker-controlled remote network resource. Alternatively, it is possible to use a previously uploaded file and change its reference. When the application processes the attachment, and a user tries to open it, the referenced resource is executed by the system. Critically, this vulnerability can be exploited by any unauthenticated attacker by chaining it with CVE-2026-40550 and CVE-2026-40551, which allows obtaining database access, and logging onto any account.

This issue affects mpGabinet version 23.12.19 and below.

Metrics

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H
CVSS Score: 4.7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Adjacent	Confidentiality	Low	Confidentiality	High
Attack Complexity	Low	Integrity	Low	Integrity	High
Attack Requirements	None	Availability	Low	Availability	High
Privileges Required	High
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	BinSoft
Product	mpGabinet
Versions	Default: affected affected from 0 to 23.12.19 (incl.)

Vendor

BinSoft

Product

mpGabinet

Versions

Default: affected

affected from 0 to 23.12.19 (incl.)

Credits

Robert Kruczek finder
Kamil Szczurowski finder

References

Problem Types

CWE-669: Incorrect Resource Transfer Between Spheres CWE

Impacts

CAPEC-253: Remote Code Inclusion