CVE-2026-26337: Absolute Path Traversal (Arbitrary File Read + SSRF) - Impact: Arbitrary file read and server-side request forgery (SSRF) - Affected Components: Alfresco Transform Service (ATS), Alfresco Transform Core / Transform Core AIO - How to address it: Upgrade to a fixed version (ATS 4.3.0 for Enterprise, Transform Core AIO 5.3.0 for Community) CVE-2026-26338: SSRF via document processing functionality - Impact: SSRF, which can be used to probe or access internal services from the transformation environment - Affected Components: Alfresco Transform Service (ATS) - How to address it: Upgrade to a fixed version (ATS 4.3.0 for Enterprise, Transform Core AIO 5.3.0) CVE-2026-26339: Argument injection leading to Remote Code Execution (RCE) - Impact: Remote code execution (RCE) - Affected Components: Alfresco Transform Service (ATS) - How to address it: Upgrade to a fixed version (ATS 4.2.3 or later for Enterprise, Transform Core AIO 5.2.4 or later) Additional Recommendations: - Do not expose transformation endpoints to untrusted networks. - Use allowlists for outbound destinations. - Ensure standard perimeter protections are in place.