CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

CVE-2025-26074

OmniSync's Diagnostic Disaster: A Trivial Command Injection for the Modern Age

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 1, 2026·10 min read·72 visits

Executive Summary (TL;DR)

A high-impact, unauthenticated RCE in OmniSync Data Orchestrator's diagnostics API. Attackers can execute shell commands by simply crafting a malicious 'hostname' in a request to the '/api/v1/diagnostics/ping' endpoint. Patch immediately or face the consequences.

A critical OS command injection vulnerability exists in the diagnostics API endpoint of OmniSync Data Orchestrator versions 3.0.0 through 3.5.1. An unauthenticated remote attacker can inject arbitrary shell commands by manipulating the 'hostname' parameter of the '/api/v1/diagnostics/ping' endpoint. The vulnerability stems from the direct concatenation of user-supplied input into a string that is later executed by the system shell, leading to Remote Code Execution (RCE) with the privileges of the OmniSync service account.

Official Patches

OmniSync Inc.Official vendor advisory and patch information for CVE-2025-26074.

Technical Appendix

CVSS Score
9.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Probability
95.80%
Top 4% most exploited

Affected Systems

OmniSync Data Orchestrator

Affected Versions Detail

Product
Affected Versions
Fixed Version
OmniSync Data Orchestrator
OmniSync Inc.
>= 3.0.0, <= 3.5.13.5.2
AttributeDetail
CWE IDCWE-78
CWE NameImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
CVSS v3.1 Score9.8 (Critical)
Exploit StatusWeaponized

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1059.004Command and Scripting Interpreter: Unix Shell
Execution
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Known Exploits & Detection

GitHubA fully weaponized Python exploit that provides an interactive shell.
Metasploit FrameworkOfficial Metasploit module for CVE-2025-26074.

Vulnerability Timeline

Vulnerability discovered by an independent security researcher.
2025-03-15
Vendor (OmniSync Inc.) notified via responsible disclosure program.
2025-03-16
Vendor confirms the vulnerability and begins work on a patch.
2025-04-10
OmniSync releases version 3.5.2 with the patch.
2025-05-20
Coordinated public disclosure and CVE-2025-26074 is published.
2025-06-05
Proof-of-concept exploit code published on GitHub.
2025-06-07

References & Sources

  • [1]NVD Entry for CVE-2025-26074
  • [2]Initial vulnerability disclosure report on HackerOne (redacted)
  • [3]Blog Post: OmniSync RCE for Fun and Profit - A Technical Writeup

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 1 hour ago•CVE-2026-48788
8.2

CVE-2026-48788: Cross-Site Scripting and Content-Type Spoofing in Remark42 Image Proxy

A critical-severity Cross-Site Scripting (XSS) and Content-Type spoofing vulnerability in Remark42 (versions 1.6.0 through 1.15.0) allows remote attackers to execute arbitrary client-side script code via a crafted image proxy request.

Alon Barad
Alon Barad
3 views•6 min read
•about 4 hours ago•CVE-2026-53462
5.9

CVE-2026-53462: Heap Use-After-Free Vulnerability in ImageMagick Vector Drawing Subsystem

CVE-2026-53462 is a heap Use-After-Free (UAF) vulnerability in ImageMagick's vector drawing subsystem, specifically within the coordinate allocation mechanism in CheckPrimitiveExtent. By parsing a crafted vector image (such as SVG or MVG) with extremely complex primitives, an attacker can trigger a memory reallocation failure. If the application fails to handle this allocation failure cleanly, it leaves a dangling pointer that can subsequently be accessed or freed again, causing memory corruption or an application crash.

Alon Barad
Alon Barad
5 views•7 min read
•about 7 hours ago•CVE-2026-39832
9.1

CVE-2026-39832: Silent Drop of Destination Constraints in golang.org/x/crypto SSH Agent Client

A critical security flaw was identified in the Go package golang.org/x/crypto/ssh/agent. The vulnerability arises during the serialization of key constraints when adding SSH identities to a remote agent or an in-memory keyring. Specifically, custom constraint extensions, such as destination restrictions like restrict-destination-v00@openssh.com, were silently omitted from serialization in client requests. This omission allowed keys to be loaded into the remote agent with zero destination-based restrictions, enabling unauthorized users with access to the agent socket on intermediate hosts to authenticate to any downstream host without policy enforcement. The issue was resolved in version v0.52.0 of the golang.org/x/crypto library.

Amit Schendel
Amit Schendel
7 views•7 min read
•about 7 hours ago•CVE-2026-46597
7.5

CVE-2026-46597: Remote Denial of Service in golang.org/x/crypto/ssh via AES-GCM Padding Integer Overflow

A high-severity Denial of Service (DoS) vulnerability (CVE-2026-46597 / GO-2026-5013) exists in the golang.org/x/crypto/ssh module before version v0.52.0. The flaw stems from an incorrect operator order during a type conversion of the GCM packet padding size, allowing a remote, unauthenticated attacker to trigger an out-of-bounds slice runtime panic and crash the Go process.

Alon Barad
Alon Barad
5 views•7 min read
•about 11 hours ago•CVE-2026-39828
6.3

CVE-2026-39828: Go SSH Server PartialSuccessError Permissions Discard Bypass

A critical security bypass vulnerability was discovered in the Go SSH server implementation within the golang.org/x/crypto/ssh package. When an SSH server authentication callback returned a PartialSuccessError alongside non-nil Permissions, the server silently discarded these permissions before the subsequent authentication step. Consequently, once the user completed the second-factor authentication, the session-level restrictions were dropped, granting the client unauthorized capabilities.

Amit Schendel
Amit Schendel
5 views•7 min read
•about 12 hours ago•CVE-2026-39835
5.3

CVE-2026-39835: Remote Denial of Service via Null Pointer Dereference in Go SSH CertChecker

A Denial of Service (DoS) vulnerability exists in the Go SSH implementation package (golang.org/x/crypto/ssh). The vulnerability is caused by a null pointer dereference (runtime panic) when CertChecker is utilized as a public key callback but its validation fields, IsUserAuthority or IsHostAuthority, are uninitialized.

Amit Schendel
Amit Schendel
10 views•7 min read