{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/pardus/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-14459"},{"cvss":8.8,"id":"CVE-2026-14460"}],"_cs_exploited":false,"_cs_has_poc":true,"_cs_poc_references":["https://sploitus.com/exploit?id=42D2AB27-0085-5020-AA75-F3E233F792A3\u0026utm_source=rss\u0026utm_medium=rss"],"_cs_products":["pardus-software (\u003c= 1.0.4)","pardus-software (\u003c 1.0.5)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","argument-injection","linux","cve"],"_cs_type":"advisory","_cs_vendors":["TUBITAK BILGEM Software Technologies Research Institute","Pardus","TÜBİTAK BİLGEM"],"content_html":"\u003cp\u003eCVE-2026-14459 details an improper neutralization of argument delimiters (argument injection) vulnerability within the TUBITAK BILGEM Software Technologies Research Institute's \u003ccode\u003epardus-software\u003c/code\u003e. This critical flaw affects versions equal to or less than 1.0.4, with the patched version being 1.0.5. The vulnerability, which carries a CVSS v3.1 base score of 8.8 (High), allows a local attacker with low privileges to manipulate command arguments. By exploiting this weakness, an attacker can inject arbitrary commands, leading to unauthorized code execution and significant impact on the affected system's confidentiality, integrity, and availability. This vulnerability poses a serious risk to systems running the vulnerable software, as it can be leveraged for privilege escalation or to execute malicious payloads from an already compromised local environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: The attacker gains low-privileged local access to a system running a vulnerable version of \u003ccode\u003epardus-software\u003c/code\u003e. This could be through a user account or another prior compromise (CVSS AV:L, PR:L).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Discovery\u003c/strong\u003e: The attacker identifies the presence of \u003ccode\u003epardus-software\u003c/code\u003e and confirms its version is vulnerable to CVE-2026-14459.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Input Crafting\u003c/strong\u003e: The attacker crafts a specific input containing specially formatted argument delimiters and commands designed to exploit the argument injection vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation\u003c/strong\u003e: The attacker submits the crafted malicious input to \u003ccode\u003epardus-software\u003c/code\u003e via a user interface, API, or command-line interaction that processes arguments without proper sanitization.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArgument Injection\u003c/strong\u003e: The \u003ccode\u003epardus-software\u003c/code\u003e improperly interprets the attacker's input, leading to the injection of unintended arguments into an underlying command execution function.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary Command Execution\u003c/strong\u003e: The injected arguments result in the execution of an attacker-controlled command with the privileges of the \u003ccode\u003epardus-software\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The attacker's command executes, potentially leading to privilege escalation, arbitrary code execution, system compromise, or data manipulation and exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe exploitation of CVE-2026-14459 results in a high impact on the confidentiality, integrity, and availability of the affected system, as indicated by its CVSS v3.1 score of 8.8 (C:H/I:H/A:H). Successful exploitation allows an attacker to execute arbitrary commands, which can lead to complete system compromise, data theft, data corruption, or denial-of-service conditions. This vulnerability provides a pathway for a low-privileged local attacker to elevate their privileges or execute malicious payloads without further authentication, posing a significant risk to the overall security posture of environments running \u003ccode\u003epardus-software\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch \u003ccode\u003epardus-software\u003c/code\u003e to version 1.0.5 or later to mitigate CVE-2026-14459.\u003c/li\u003e\n\u003cli\u003eRestrict execution permissions for \u003ccode\u003epardus-software\u003c/code\u003e to only necessary users and contexts to limit the impact of potential local exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T18:04:15Z","date_published":"2026-07-03T15:28:00Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14459-argument-injection/","summary":"A critical argument injection vulnerability (CVE-2026-14459) in TUBITAK BILGEM Software Technologies Research Institute's pardus-software versions up to 1.0.4 allows a local, low-privileged attacker to achieve unauthorized command execution, severely impacting confidentiality, integrity, and availability.","title":"CVE-2026-14459: Argument Injection Vulnerability in TUBITAK BILGEM pardus-software","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14459-argument-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Pardus","version":"https://jsonfeed.org/version/1.1"}