High severity8.8NVD Advisory· Published Apr 10, 2026· Updated Apr 27, 2026

CVE-2026-23780

Description

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT API's debug interface allows an authenticated attacker to inject malicious queries due to improper input validation and unsafe dynamic SQL handling. Successful exploitation can enable arbitrary file read/write operations and potentially lead to remote code execution.

Affected products

BMC Software/Control M\/managed File Transfer
cpe:2.3:a:bmc:control-m\/managed_file_transfer:*:*:*:*:*:*:*:*
Range: >=9.0.20,<=9.0.22

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9022/Patches/Control-M-MFT-PAAFP-9-0-22-025/nvdPatch
www.bmc.com/support/resources/issue-defect-management.htmlnvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000