OS Command Injection Vulnerability in Fortra BoKS Manager
CVE-2026-9863

7.5HIGH

Key Information:

Vendor: Fortra
Status: Core Privileged Access Manager (boks)
Vendor: CVE Published:; 15 June 2026

What is CVE-2026-9863?

Fortra BoKS Manager has a security flaw that allows for OS command injection via its client upgrade and patching mechanisms for legacy tar-based installations. If a legacy tar-installed client, which is being upgraded or patched, is compromised, it can leverage this vulnerability to execute arbitrary commands on the BoKS Master. This risk emphasizes the need for vigilant management of legacy client installations and securing upgrade processes.

Affected Version(s)

Core Privileged Access Manager (BoKS) boks-server 8.1.0.0

Core Privileged Access Manager (BoKS) boks-server 9.0.0.0

References

https://www.fortra.com/security/advisories/product-securi...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 15, 2026
Vulnerability Reserved
May 28, 2026

Credit

Fortra internal security assessment

CVE-2026-9863 Data

JSON