Gmission Web Fax Vulnerability (CVE-2026-9157) Allows Remote Code Inclusion
A critical vulnerability, CVE-2026-9157, has been identified in Gmission Web Fax, stemming from improper input validation and unrestricted file upload. This flaw, rated with a CVSS score of 8.4 (HIGH) by the National Vulnerability Database, allows for Remote Code Inclusion.
According to the National Vulnerability Database, the issue specifically impacts Gmission Web Fax versions from 3.0 before 3.1. The core problem lies in the system’s failure to properly validate user inputs and its permissive handling of file uploads, enabling an attacker to upload files with dangerous types. This directly leads to the potential for remote code execution, giving an attacker significant control over the affected system.
This vulnerability, categorized under CWE-20 (Improper Input Validation) and CWE-434 (Unrestricted Upload of File with Dangerous Type), is a textbook example of how seemingly simple flaws can lead to severe consequences. Attackers can leverage this to establish persistence, exfiltrate data, or pivot deeper into a network. Defenders must prioritize patching and robust input sanitization.
What This Means For You
- If your organization uses Gmission Web Fax, specifically versions 3.0 through 3.0.9, you are directly exposed to Remote Code Inclusion. Patch immediately to version 3.1 or newer. Audit your Web Fax logs for any suspicious file uploads or unexpected activity.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Gmission Web Fax Unrestricted File Upload - CVE-2026-9157
title: Gmission Web Fax Unrestricted File Upload - CVE-2026-9157
id: scw-2026-05-21-ai-1
status: experimental
level: critical
description: |
Detects the specific file upload endpoint used by Gmission Web Fax when exploited for Remote Code Inclusion via CVE-2026-9157. This rule looks for POST requests to '/webfax/upload' that result in a 200 status code, indicating a successful upload, and checks for common webfax-related referer and URI patterns that are indicative of this vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-21
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-9157/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/webfax/upload'
cs-method|exact:
- 'POST'
sc-status|exact:
- '200'
selection_upload:
referer|contains:
- 'webfax'
uri|contains:
- '.php'
condition: selection AND selection_upload
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-9157 | RCE | Gmission Web Fax |
| CVE-2026-9157 | RCE | Web Fax versions from 3.0 before 3.1 |
| CVE-2026-9157 | Code Injection | Improper input validation |
| CVE-2026-9157 | Code Injection | Unrestricted upload of file with dangerous type |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 21, 2026 at 12:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-42396 — Insufficient Validation of Member Zone Data May Cause
CVE-2026-42396 — Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail
CVE-2026-42002 — Concurrency and locking defects in
CVE-2026-42002 — Concurrency and locking defects in GSS-TSIG
CVE-2026-42001: Autoprimary SOA Queries Vulnerability
CVE-2026-42001 — Insufficient Validation of Autoprimary SOA Queries