CVE-2026-26221

CRITICAL

Hyland OnBase - Unauthenticated RCE

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-26221. PoCs published by XiaomingX, mbanyamer.

AI-analyzed exploit summary This repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The PoC includes automated data extraction for admin credentials and password hashes.

Description

Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe). An attacker who can reach the service can send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem for Workflow) to trigger unsafe object unmarshalling, enabling arbitrary file read/write. By writing attacker-controlled content into web-accessible locations or chaining with other OnBase features, this can lead to remote code execution. The same primitive can be abused by supplying a UNC path to coerce outbound NTLM authentication (SMB coercion) to an attacker-controlled host.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-26221

View Code ZIP pw:eip

This repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The PoC includes automated data extraction for admin credentials and password hashes.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: WordPress Quiz Maker <= 6.7.0.56

No auth needed

Prerequisites: target WordPress URL · path to quiz page · vulnerable header (default: X-Forwarded-For)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

github WORKING POC

by mbanyamer · pythonpoc

https://github.com/mbanyamer/CVE-2026-26221-Hyland-OnBase-Timer-Service-Unauthenticated-RCE

View Code ZIP pw:eip

This repository contains a functional Python-based exploit for CVE-2026-26221, targeting an unauthenticated .NET Remoting deserialization vulnerability in Hyland OnBase Timer Service. The exploit leverages ysoserial.net to generate a BinaryFormatter payload, which is sent to the target service to achieve remote code execution as NT AUTHORITY\SYSTEM.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Hyland OnBase Timer Service (versions prior to patched releases ~2025-2026)

No auth needed

Prerequisites: Python 3 · requests library · ysoserial.net · netcat listener · Windows payload generation environment

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Various Sources product

https://www.hyland.com/en/solutions/products/onbase

Various Sources vendor-advisory mitigation permissions-required

https://community.hyland.com/resources/bulletins-and-notices/223223-security-update-onbase-workflow-timer-service-bulletin-ob2025-03

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/hyland-onbase-timer-services-unauthenticated-net-remoting-rce

Scores

CVSS v3 9.8

EPSS 0.0112

EPSS Percentile 61.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-502

Status published

Products (3)

Hyland/OnBase Workflow Timer Service 8.0 - 17.0.*

Hyland/OnBase Workflow Timer Service 8.0 - 17.0.0

Hyland/OnBase Workflow Timer Service 8.0 - 17.0.x

Published Feb 13, 2026

Tracked Since Feb 18, 2026