CVE-2026-39253

HIGH

Pivotal CRM 6.6.04.08 - Remote Code Execution via Insecure Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-39253. PoCs published by timtimxs.

AI-analyzed exploit summary This repository contains an HTML document that appears to be a support article from Pivotal Support discussing the remediation of an insecure deserialization vulnerability (CWE-502) in Pivotal 6.6.04.08 (Smart Client / PBS). The content is informative and provides details about the vulnerability and its mitigation, but it does not include exploit code or a proof-of-concept.

Description

An issue in Pivotal CRM v.6.6.04.08 allows a remote attacker to execute arbitrary code via the Pivotal.Core.Common.dll and Pivotal.Engine.Client.Services.Conversion.dll components.

Exploits (1)

github WRITEUP
by timtimxs · htmlpoc
https://github.com/timtimxs/CVE-2026-39253-Advisory

This repository contains an HTML document that appears to be a support article from Pivotal Support discussing the remediation of an insecure deserialization vulnerability (CWE-502) in Pivotal 6.6.04.08 (Smart Client / PBS). The content is informative and provides details about the vulnerability and its mitigation, but it does not include exploit code or a proof-of-concept.

Classification
Writeup 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Theoretical
Target: Pivotal 6.6.04.08 (Smart Client / PBS)
No auth needed
Prerequisites: Access to the support article or documentation
devstral-2 · analyzed Jun 24, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.1
EPSS 0.0080
EPSS Percentile 52.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-502
Status published
Published Jun 23, 2026
Tracked Since Jun 24, 2026