CVE-2026-5037

A vulnerability was determined in mxml up to 4.0.4. This issue affects the function index_sort of the file mxml-index.c of the component mxmlIndexNew. Executing a manipulation of the argument tempr can lead to stack-based buffer overflow. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called 6e27354466092a1ac65601e01ce6708710bb9fa5. A patch should be applied to remediate this issue.

CVSS v3 3.3 LOW
CVSS v2.0 1.7 LOW

3.3^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

1.7^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:L/AC:L/Au:S/C:N/I:N/A:P

Exploitability : 3.1 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://github.com/michaelrsweet/mxml/commit/6e27354466092a1ac65601e01ce6708710bb9fa5
https://github.com/michaelrsweet/mxml/issues/350
https://github.com/michaelrsweet/mxml/issues/350#issuecomment-4051317229
https://github.com/user-attachments/files/25934383/1.xml
https://vuldb.com/submit/778638
https://vuldb.com/vuln/353963
https://vuldb.com/vuln/353963/cti

Configurations

No configuration.

History

24 Apr 2026, 16:36

Type	Values Removed	Values Added
Summary		(es) Se determinó una vulnerabilidad en mxml hasta la versión 4.0.4. Este problema afecta a la función index_sort del archivo mxml-index.c del componente mxmlIndexNew. La ejecución de una manipulación del argumento tempr puede llevar a un desbordamiento de búfer basado en pila. El ataque está restringido a ejecución local. El exploit ha sido divulgado públicamente y puede ser utilizado. Este parche se llama 6e27354466092a1ac65601e01ce6708710bb9fa5. Debe aplicarse un parche para remediar este problema.

29 Mar 2026, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-29 09:15

Updated : 2026-04-29 01:00

NVD link : CVE-2026-5037

Mitre link : CVE-2026-5037

CVE.ORG link : CVE-2026-5037

JSON object : View

Products Affected

No product.

CWE

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-121

Stack-based Buffer Overflow

3.3 /10

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

1.7 /10

Access Vector LOCAL

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2026-5037

3.3^/10

1.7^/10

Attach tags to `CVE-2026-5037`