Is CVE-2020-26217 actively exploited?

CVE-2020-26217 has no public evidence of in-the-wild exploitation as of 2025-05-23.

What is the CVSS score for CVE-2020-26217?

CVE-2020-26217 has a CVSS score of 8 (HIGH severity). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H.

How do I patch CVE-2020-26217?

Patch guidance is available from xstream security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2020-26217.

Fix CVE-2020-26217 - HIGH xstream xstream

Q: Which products are affected by CVE-2020-26217?

37 products: xstream xstream, debian debian linux, debian debian linux, netapp snapmanager, netapp snapmanager, and 32 more.

Description

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector: network
Complexity: high
Privileges: low
User Action: required
Scope: changed
Confidentiality: high
Integrity: high
Availability: high
Weaknesses: CWE-78 · OS Command Injection CWE-78 · OS Command Injection

Metadata

Primary Vendor: XSTREAM
Published: 11/16/2020
Last Modified: 5/23/2025
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

xstream : xstreamdebian : debian_linuxdebian : debian_linuxnetapp : snapmanagernetapp : snapmanagerapache : activemqapache : activemqoracle : banking_cash_managementoracle : banking_cash_managementoracle : banking_cash_managementoracle : banking_corporate_lending_process_managementoracle : banking_corporate_lending_process_managementoracle : banking_corporate_lending_process_managementoracle : banking_credit_facilities_process_managementoracle : banking_credit_facilities_process_managementoracle : banking_credit_facilities_process_managementoracle : banking_platformoracle : banking_platformoracle : banking_platformoracle : banking_supply_chain_financeoracle : banking_supply_chain_financeoracle : banking_supply_chain_financeoracle : banking_trade_finance_process_managementoracle : banking_trade_finance_process_managementoracle : banking_trade_finance_process_managementoracle : banking_virtual_account_managementoracle : banking_virtual_account_managementoracle : banking_virtual_account_managementoracle : business_activity_monitoringoracle : business_activity_monitoringoracle : business_activity_monitoringoracle : communications_policy_managementoracle : endeca_information_discovery_studiooracle : retail_xstore_point_of_serviceoracle : retail_xstore_point_of_serviceoracle : retail_xstore_point_of_serviceoracle : retail_xstore_point_of_service

Remediation Guidance

Executive Summary

View on NIST NVD