Remote Command Execution Vulnerability in mpGabinet by mpGabinet
CVE-2026-40552

4.7MEDIUM

Key Information:

Vendor: Binsoft
Status: Mpgabinet
Vendor: CVE Published:; 28 April 2026

What is CVE-2026-40552?

mpGabinet is susceptible to a Remote Command Execution vulnerability where authenticated users with backend database access can execute system commands. By uploading an attachment and altering its storage path to reference a remote resource under the attacker's control, or by modifying a previously uploaded file's reference, an attacker can exploit this vulnerability when the attachment is processed. Additionally, this vulnerability can be escalated by chaining it with other vulnerabilities to gain unauthorized database access and account login capabilities, making it a significant security risk.

Affected Version(s)

mpGabinet 0 <= 23.12.19

References

https://cert.pl/posts/2026/04/CVE-2026-40550/

third-party-advisory

https://www.mpgabinet.pl/

product

CVSS V4

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 28, 2026
Vulnerability Reserved
Apr 14, 2026

Credit

Robert Kruczek

Kamil Szczurowski

CVE-2026-40552 Data

JSON