Hyland

By the Year

In 2026 there have been 5 vulnerabilities in Hyland with an average score of 8.8 out of ten. Last year, in 2025 Hyland had 1 security vulnerability published. That is, 4 more vulnerabilities have already been reported in 2026 as compared to last year.

Recent Hyland Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-26339	Feb 19, 2026	Alfresco TS RCE via Arg Inject Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve remote code execution through the argument injection vulnerability, which exists in the document processing functionality.
CVE-2026-26338	Feb 19, 2026	SSRF via Document Processing in Hyland Alfresco Transformation Service Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve server-side request forgery (SSRF) through the document processing functionality.
CVE-2026-26337	Feb 19, 2026	Hyland Alfresco TSL Unauth Path Traversal Enables AR & SSRF Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve both arbitrary file read and server-side request forgery through the absolute path traversal.
CVE-2026-26336	Feb 19, 2026	Alfresco Unauth File Disclosure via /share/page/resource/ Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files.	Alfresco Content Services
CVE-2026-26221	Feb 13, 2026	Hyland OnBase Workflow Timer Service .NET Remoting ACE Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe). An attacker who can reach the service can send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem for Workflow) to trigger unsafe object unmarshalling, enabling arbitrary file read/write. By writing attacker-controlled content into web-accessible locations or chaining with other OnBase features, this can lead to remote code execution. The same primitive can be abused by supplying a UNC path to coerce outbound NTLM authentication (SMB coercion) to an attacker-controlled host.	Onbase
CVE-2025-34153	Aug 13, 2025	OnBase 17.0.2.87 RCE via .NET BinaryFormatter Deserialization Hyland OnBase versions prior to 17.0.2.87 (other versions may be affected) are vulnerable to unauthenticated remote code execution via insecure deserialization on the .NET Remoting TCP channel. The service registers a listener on port 6031 with the URI endpoint TimerServer, implemented in Hyland.Core.Timers.dll. This endpoint deserializes untrusted input using the .NET BinaryFormatter, allowing attackers to execute arbitrary code under the context of NT AUTHORITY\SYSTEM.	Onbase
CVE-2024-40347	Jul 20, 2024	XSS via htmlid param in Hyland Alfresco 23.2.1-r96 A reflected cross-site scripting (XSS) vulnerability in Hyland Alfresco Platform 23.2.1-r96 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the parameter htmlid.	Alfresco Content Services
CVE-2023-49964	Dec 11, 2023	Alfresco CE 7.2.0 SSTI via folder.get.html.ftl RCE An issue was discovered in Hyland Alfresco Community Edition through 7.2.0. By inserting malicious content in the folder.get.html.ftl file, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and achieve RCE (Remote Code Execution). NOTE: this issue exists because of an incomplete fix for CVE-2020-12873.	Alfresco Content Services
CVE-2021-32828	Jan 05, 2023	Nuxeo Platform 11.5.109: oauth2 REST API Reflected XSS RCE The Nuxeo Platform is an open source content management platform for building business applications. In version 11.5.109, the `oauth2` REST API is vulnerable to Reflected Cross-Site Scripting (XSS). This XSS can be escalated to Remote Code Execution (RCE) by levering the automation API.	Nuxeo
CVE-2022-23342	Jun 21, 2022	The Hyland Onbase Application Server releases prior to 20.3.58.1000 and OnBase releases 21.1.1.1000 through 21.1.15.1000 are vulnerable to a username enumeration vulnerability The Hyland Onbase Application Server releases prior to 20.3.58.1000 and OnBase releases 21.1.1.1000 through 21.1.15.1000 are vulnerable to a username enumeration vulnerability. An attacker can obtain valid users based on the response returned for invalid and valid users by sending a POST login request to the /mobilebroker/ServiceToBroker.svc/Json/Connect endpoint. This can lead to user enumeration against the underlying Active Directory integrated systems.	Onbase
CVE-2020-25253	Sep 11, 2020	An issue was discovered in Hyland OnBase 16.0.2.83 and below An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows SQL injection, as demonstrated by the TableName, ColumnName, Name, UserId, or Password parameter.	Onbase
CVE-2020-25247	Sep 11, 2020	An issue was discovered in Hyland OnBase through 18.0.0.32 and 19.x through 19.8.9.1000 An issue was discovered in Hyland OnBase through 18.0.0.32 and 19.x through 19.8.9.1000. Directory traversal exists for writing to files, as demonstrated by the FileName parameter.	Onbase
CVE-2020-25248	Sep 11, 2020	An issue was discovered in Hyland OnBase through 16.0.2.83 and below An issue was discovered in Hyland OnBase through 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Directory traversal exists for reading files, as demonstrated by the FileName parameter.	Onbase
CVE-2020-25249	Sep 11, 2020	An issue was discovered in Hyland OnBase 16.0.2.83 and below An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. The server typically logs activity only when a client application specifies that logging is desired. This can be problematic for use cases in a regulated industry, where server-side logging is required in additional situations.	Onbase
CVE-2020-25250	Sep 11, 2020	An issue was discovered in Hyland OnBase 16.0.2.83 and below An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Client applications can write arbitrary data to the server logs.	Onbase
CVE-2020-25251	Sep 11, 2020	An issue was discovered in Hyland OnBase 16.0.2.83 and below An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Client-side authentication is used for critical functions such as adding users or retrieving sensitive information.	Onbase
CVE-2020-25252	Sep 11, 2020	An issue was discovered in Hyland OnBase through 16.0.2.83 and below An issue was discovered in Hyland OnBase through 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. CSRF can be used to log in a user, and then perform actions, because there are default credentials (the wstinol password for the manager or hsi account).	Onbase
CVE-2020-25254	Sep 11, 2020	An issue was discovered in Hyland OnBase 16.0.2.83 and below An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows SQL injection, as demonstrated by TestConnection_LocalOrLinkedServer, CreateFilterFriendlyView, or AddWorkViewLinkedServer.	Onbase
CVE-2020-25255	Sep 11, 2020	An issue was discovered in Hyland OnBase 16.0.2.83 and below An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows remote attackers to cause a denial of service (outage of connection-request processing) via a long user ID, which triggers an exception and a large log entry.	Onbase
CVE-2020-25256	Sep 11, 2020	An issue was discovered in Hyland OnBase 16.0.2.83 and below An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. PKI certificates have a private key that is the same across different customers' installations.	Onbase
CVE-2020-25257	Sep 11, 2020	An issue was discovered in Hyland OnBase 16.0.2.83 and below An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows XXE attacks for read/write access to arbitrary files.	Onbase
CVE-2020-25258	Sep 11, 2020	An issue was discovered in Hyland OnBase 16.0.2.83 and below An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It uses ASP.NET BinaryFormatter.Deserialize in a manner that allows attackers to transmit and execute bytecode in SOAP messages.	Onbase
CVE-2020-25259	Sep 11, 2020	An issue was discovered in Hyland OnBase 16.0.2.83 and below An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It uses XML deserialization libraries in an unsafe manner.	Onbase
CVE-2020-25260	Sep 11, 2020	An issue was discovered in Hyland OnBase 16.0.2.83 and below An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows remote attackers to execute arbitrary code because of unsafe JSON deserialization.	Onbase
CVE-2018-19629	Jul 16, 2019	A Denial of Service vulnerability in the ImageNow Server service in Hyland Perceptive Content Server before 7.1.5 A Denial of Service vulnerability in the ImageNow Server service in Hyland Perceptive Content Server before 7.1.5 allows an attacker to crash the service via a TCP connection.	Perceptive Content Server
CVE-2018-3844	Apr 26, 2018	In Hyland Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux, a crafted DOCX document In Hyland Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux, a crafted DOCX document can lead to a use-after-free resulting in direct code execution.	Perceptive Document Filters
CVE-2018-3855	Apr 26, 2018	In Hyland Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux, a crafted OpenDocument document In Hyland Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux, a crafted OpenDocument document can lead to a SkCanvas object double free resulting in direct code execution.	Perceptive Document Filters
CVE-2018-3851	Apr 26, 2018	In Hyland Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux In Hyland Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux, an exploitable stack-based buffer overflow exists in the DOC-to-HTML conversion functionality of the Hyland Perceptive Document Filters version 11.4.0.2647. A crafted .doc document can lead to a stack-based buffer, resulting in direct code execution.	Perceptive Document Filters
CVE-2018-3845	Apr 26, 2018	In Hyland Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux, a crafted OpenDocument document In Hyland Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux, a crafted OpenDocument document can lead to a SkCanvas object double free resulting in direct code execution.	Perceptive Document Filters
CVE-2018-6293	Feb 13, 2018	Arbitrary File Read in Saperion Web Client version 7.5.2 83166. Arbitrary File Read in Saperion Web Client version 7.5.2 83166.	Saperion Web Client
CVE-2018-6292	Feb 13, 2018	Remote Code Execution in Saperion Web Client version 7.5.2 83166. Remote Code Execution in Saperion Web Client version 7.5.2 83166.	Saperion Web Client