CVE-2026-10538
HighCVSS 8.0Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
A vulnerability in the messaging consumer functionality of unsupported Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and earlier allows deserialization of user-controlled data without sufficient restriction of allowed object types. This may allow an authenticated attacker to trigger unintended server-side behavior through crafted serialized content.
Risk Assessment
The risk involves potential remote code execution or other unauthorized actions on the server by an authenticated attacker, which could compromise the confidentiality, integrity, or availability of the system.
Recommendation
Immediately upgrade Control-M/Server and Control-M/Enterprise Manager to a supported version that includes a fix for untrusted data deserialization.
Original NVD description (English source)
Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier. This issue may allow an authenticated attacker to trigger unintended server-side behavior through crafted serialized content.

