Skip to content
Threat Feed
high advisory PoC

CVE-2026-14459: Argument Injection Vulnerability in TUBITAK BILGEM pardus-software

A critical argument injection vulnerability (CVE-2026-14459) in TUBITAK BILGEM Software Technologies Research Institute's pardus-software versions up to 1.0.4 allows a local, low-privileged attacker to achieve unauthorized command execution, severely impacting confidentiality, integrity, and availability.

What's new

  • l2 poc_available; added CVE-2026-14460; OS pardus 25 Jul 3, 18:04 via sploitus

CVE-2026-14459 details an improper neutralization of argument delimiters (argument injection) vulnerability within the TUBITAK BILGEM Software Technologies Research Institute's pardus-software. This critical flaw affects versions equal to or less than 1.0.4, with the patched version being 1.0.5. The vulnerability, which carries a CVSS v3.1 base score of 8.8 (High), allows a local attacker with low privileges to manipulate command arguments. By exploiting this weakness, an attacker can inject arbitrary commands, leading to unauthorized code execution and significant impact on the affected system's confidentiality, integrity, and availability. This vulnerability poses a serious risk to systems running the vulnerable software, as it can be leveraged for privilege escalation or to execute malicious payloads from an already compromised local environment.

Attack Chain

  1. Initial Access: The attacker gains low-privileged local access to a system running a vulnerable version of pardus-software. This could be through a user account or another prior compromise (CVSS AV:L, PR:L).
  2. Vulnerability Discovery: The attacker identifies the presence of pardus-software and confirms its version is vulnerable to CVE-2026-14459.
  3. Malicious Input Crafting: The attacker crafts a specific input containing specially formatted argument delimiters and commands designed to exploit the argument injection vulnerability.
  4. Exploitation: The attacker submits the crafted malicious input to pardus-software via a user interface, API, or command-line interaction that processes arguments without proper sanitization.
  5. Argument Injection: The pardus-software improperly interprets the attacker's input, leading to the injection of unintended arguments into an underlying command execution function.
  6. Arbitrary Command Execution: The injected arguments result in the execution of an attacker-controlled command with the privileges of the pardus-software process.
  7. Impact: The attacker's command executes, potentially leading to privilege escalation, arbitrary code execution, system compromise, or data manipulation and exfiltration.

Impact

The exploitation of CVE-2026-14459 results in a high impact on the confidentiality, integrity, and availability of the affected system, as indicated by its CVSS v3.1 score of 8.8 (C:H/I:H/A:H). Successful exploitation allows an attacker to execute arbitrary commands, which can lead to complete system compromise, data theft, data corruption, or denial-of-service conditions. This vulnerability provides a pathway for a low-privileged local attacker to elevate their privileges or execute malicious payloads without further authentication, posing a significant risk to the overall security posture of environments running pardus-software.

Recommendation

  • Immediately patch pardus-software to version 1.0.5 or later to mitigate CVE-2026-14459.
  • Restrict execution permissions for pardus-software to only necessary users and contexts to limit the impact of potential local exploitation.

Indicators of compromise

1

hash_sha256

1

url

TypeValue
urlhttps://sploitus.com/exploit?id=42D2AB27-0085-5020-AA75-F3E233F72A3
hash_sha2561d3f4c19affdb377ac5eee4c695619e9f6a4590350c3936678eb1db2cf601255