CVE Catalog

CVE-2026-10538

HighCVSS 8.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

A vulnerability in the messaging consumer functionality of unsupported Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and earlier allows deserialization of user-controlled data without sufficient restriction of allowed object types. This may allow an authenticated attacker to trigger unintended server-side behavior through crafted serialized content.

Risk Assessment

The risk involves potential remote code execution or other unauthorized actions on the server by an authenticated attacker, which could compromise the confidentiality, integrity, or availability of the system.

Recommendation

Immediately upgrade Control-M/Server and Control-M/Enterprise Manager to a supported version that includes a fix for untrusted data deserialization.

Original NVD description (English source)

Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier. This issue may allow an authenticated attacker to trigger unintended server-side behavior through crafted serialized content.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS