Home

Description

Fortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch tooling for legacy tar-based client installations. A malicious or compromised legacy tar-installed client selected for upgrade or patching may be able to cause commands to be executed on the BoKS Master during client version handling.

PUBLISHED Reserved 2026-05-28 | Published 2026-06-15 | Updated 2026-06-15 | Assigner Fortra




HIGH: 7.5CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unaffected

boks-server 8.1.0.0 (custom)
affected

boks-server 9.0.0.0 (custom)
affected

Timeline

2026-06-01:Issue validated and fixes prepared for BOKS-900 and BOKS81-hotfix branches.

Credits

Fortra internal security assessment finder

References

www.fortra.com/...ty/advisories/product-security/fi-2026-008 vendor-advisory

cve.org (CVE-2026-9863)

nvd.nist.gov (CVE-2026-9863)

Download JSON