CVE-2026-9863 HIGH

CVE-2026-9863: Core Privileged Access Manager (BoKS) upgrade tooling command injection vulnerability

Vendor Fortra

Product Core Privileged Access Manager (BoKS)

Weakness CWE-78

Published June 15, 2026

Last update June 15, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Fortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch tooling for legacy tar-based client installations. A malicious or compromised legacy tar-installed client selected for upgrade or patching may be able to cause commands to be executed on the BoKS Master during client version handling.

Key dates

02Disclosure timeline

June 15, 2026 CVE published

June 15, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-9863 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

Identifiers

CVE CVE-2026-9863

CWE CWE-78

CVSS 7.5 / HIGH

Affected versions

Vendor Fortra

Product Core Privileged Access Manager (BoKS)

Affected ≥ boks-server 8.1.0.0 and ≤ boks-server 8.1.0.22

Vendor Fortra

Product Core Privileged Access Manager (BoKS)

Affected ≥ boks-server 9.0.0.0 and ≤ boks-server 9.0.0.4

CVE-2026-9863: Core Privileged Access Manager (BoKS) upgrade tooling command injection vulnerability

01Description

02Disclosure timeline

03References

04Related CVE