A deserialization vulnerability in Nuance PowerScribe, tracked as CVE-2026-26142 (CVSS 9.8), allows an unauthorised attacker to execute arbitrary code over a network. Nuance PowerScribe is a widely deployed speech recognition and reporting platform used in healthcare for radiology and clinical documentation.
What Is the Vulnerability?
CVE-2026-26142 is a deserialization of untrusted data vulnerability (CWE-502) in Nuance PowerScribe. Deserialization flaws allow attackers to craft malicious serialized objects that, when processed by the application, execute arbitrary code. PowerScribe is deployed in hospital and clinical environments where it processes patient data, integrates with electronic health record systems, and handles protected health information (PHI). A compromised PowerScribe instance gives an attacker access to clinical workflows and potentially patient data.
- CVSS v3.1 Score: 9.8 (Critical)
- CWE: CWE-502 (Deserialization of Untrusted Data)
What Is the Fix?
Apply the Microsoft security update. Nuance was acquired by Microsoft — the fix is distributed through Microsoft’s update channel. Advisory: MSRC CVE-2026-26142.
Recommendations
Patch PowerScribe immediately. CVSS 9.8 deserialization RCE on a healthcare platform processing PHI demands urgent attention. Healthcare organisations should treat this as a priority patch.
References
This advisory was first covered in the broader Vulnerability Intelligence Report — June 10, 2026.
