CVE-2026-26222CRITICAL 9.8EPSS p49.7%

CVE-2026-26222CVE-2026-26222

Description

Altec DocLink (now maintained by Beyond Limits Inc.) version 4.0.336.0 exposes insecure .NET Remoting endpoints over TCP and HTTP/SOAP via Altec.RDCHostService.exe using the ObjectURI "doclinkServer.soap". The service does not require authentication and is vulnerable to unsafe object unmarshalling, allowing remote attackers to read arbitrary files from the underlying system by specifying local file paths. Additionally, attackers can coerce SMB authentication via UNC paths and write arbitrary files to server locations. Because writable paths may be web-accessible under IIS, this can result in unauthenticated remote code execution or denial of service through file overwrite.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.74% probability of exploitation · percentile 49.7% · 2026-06-18T12:00:27Z
Published2026-02-24
Last modified2026-02-27

Underlying weaknesses· 2

CWE-502CWE-918

References

  1. https://doclinkai.com/
  2. https://www.vulncheck.com/advisories/doclink-net-remoting-unauthenticated-arbitrary-file-read-write-rce

2

TypeTargetConfidenceTier
WeaknessDeserialization of Untrusted Datacwe-5020%live
WeaknessServer-Side Request Forgery (SSRF)cwe-9180%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-26333
CVE
CVE-2025-58384
CVE
CVE-2025-21298
CVE
CVE-2025-48817
CVE
CVE-2026-21404
CVE
CVE-2026-26221
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.