What is CVE-2026-39907?

CVE-2026-39907 is a critical-severity vulnerability in Unisys Webperfect Image Suite, classified under External Control of File Name or Path. CVSS score: 10.0/10. Published 2026-04-14.

How severe is CVE-2026-39907?

Critical severity. CVSS v3 base score is 10.0 out of 10.

Vulnerability in Unisys Webperfect Image Suite

CVE-2026-39907

Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose an unauthenticated WCF SOAP endpoint on TCP port 1208 that accepts unsanitized file paths in the ReadLicense action's LFName parameter, allowing remote attacke…

EPSS: 0.010 (77.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Affected products

Unisys Webperfect Image Suite — versions 3.0.3960.22810, 3.0.3960.22604
Unisys Webperfect_image_suite — versions 3.0.3960.22604, 3.0.3960.22810

Weakness classification (CWE)

CWE-73 — External Control of File Name or Path

References

disclosure@vulncheck.com (Exploit, technical-description, Third Party Advisory, exploit)
disclosure@vulncheck.com (Product, product)
disclosure@vulncheck.com (Third Party Advisory, third-party-advisory)

Frequently asked questions

What is CVE-2026-39907?: CVE-2026-39907 is a critical-severity vulnerability in Unisys Webperfect Image Suite, classified under External Control of File Name or Path. CVSS score: 10.0/10. Published 2026-04-14.
How severe is CVE-2026-39907?: Critical severity. CVSS v3 base score is 10.0 out of 10.