{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2259", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-09T16:56:09.456Z", "datePublished": "2026-02-10T02:32:08.234Z", "dateUpdated": "2026-02-23T10:01:39.324Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T10:01:39.324Z"}, "title": "aardappel lobster Parsing parser.h ParseStatements memory corruption", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "Memory Corruption"}]}], "affected": [{"vendor": "aardappel", "product": "lobster", "versions": [{"version": "2025.0", "status": "affected"}, {"version": "2025.1", "status": "affected"}, {"version": "2025.2", "status": "affected"}, {"version": "2025.3", "status": "affected"}, {"version": "2025.4", "status": "affected"}], "modules": ["Parsing"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in aardappel lobster up to 2025.4. Affected by this issue is the function lobster::Parser::ParseStatements in the library dev/src/lobster/parser.h of the component Parsing. The manipulation leads to memory corruption. The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The identifier of the patch is 2f45fe860d00990e79e13250251c1dde633f1f89. Applying a patch is the recommended action to fix this issue."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-02-09T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-09T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-18T04:11:01.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Oneafter (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.345006", "name": "VDB-345006 | aardappel lobster Parsing parser.h ParseStatements memory corruption", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.345006", "name": "VDB-345006 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.753168", "name": "Submit #753168 | aardappel lobster 8ba49f9 Memory Corruption", "tags": ["third-party-advisory"]}, {"url": "https://github.com/aardappel/lobster/issues/396", "tags": ["issue-tracking"]}, {"url": "https://github.com/aardappel/lobster/issues/396#issuecomment-3849019040", "tags": ["issue-tracking"]}, {"url": "https://github.com/oneafter/0204/blob/main/lob2/repro.lobster", "tags": ["exploit"]}, {"url": "https://github.com/aardappel/lobster/commit/2f45fe860d00990e79e13250251c1dde633f1f89", "tags": ["patch"]}, {"url": "https://github.com/aardappel/lobster/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T20:19:18.928967Z", "id": "CVE-2026-2259", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T20:19:24.411Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2259", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T20:19:18.928967Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T20:19:21.966Z"}}], "cna": {"tags": ["x_open-source"], "title": "aardappel lobster Parsing parser.h ParseStatements memory corruption", "credits": [{"lang": "en", "type": "reporter", "value": "Oneafter (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"vendor": "aardappel", "modules": ["Parsing"], "product": "lobster", "versions": [{"status": "affected", "version": "2025.0"}, {"status": "affected", "version": "2025.1"}, {"status": "affected", "version": "2025.2"}, {"status": "affected", "version": "2025.3"}, {"status": "affected", "version": "2025.4"}]}], "timeline": [{"lang": "en", "time": "2026-02-09T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-09T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-18T04:11:01.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.345006", "name": "VDB-345006 | aardappel lobster Parsing parser.h ParseStatements memory corruption", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.345006", "name": "VDB-345006 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.753168", "name": "Submit #753168 | aardappel lobster 8ba49f9 Memory Corruption", "tags": ["third-party-advisory"]}, {"url": "https://github.com/aardappel/lobster/issues/396", "tags": ["issue-tracking"]}, {"url": "https://github.com/aardappel/lobster/issues/396#issuecomment-3849019040", "tags": ["issue-tracking"]}, {"url": "https://github.com/oneafter/0204/blob/main/lob2/repro.lobster", "tags": ["exploit"]}, {"url": "https://github.com/aardappel/lobster/commit/2f45fe860d00990e79e13250251c1dde633f1f89", "tags": ["patch"]}, {"url": "https://github.com/aardappel/lobster/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in aardappel lobster up to 2025.4. Affected by this issue is the function lobster::Parser::ParseStatements in the library dev/src/lobster/parser.h of the component Parsing. The manipulation leads to memory corruption. The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The identifier of the patch is 2f45fe860d00990e79e13250251c1dde633f1f89. Applying a patch is the recommended action to fix this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "Memory Corruption"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T10:01:39.324Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2259", "state": "PUBLISHED", "dateUpdated": "2026-02-23T10:01:39.324Z", "dateReserved": "2026-02-09T16:56:09.456Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-10T02:32:08.234Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:strlen:lobster:*:*:*:*:*:*:*:*", "matchCriteriaId": "1E46ECE9-D8C1-4F54-87C3-558A233D36DE", "versionEndIncluding": "2025.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in aardappel lobster up to 2025.4. Affected by this issue is the function lobster::Parser::ParseStatements in the library dev/src/lobster/parser.h of the component Parsing. The manipulation leads to memory corruption. The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The identifier of the patch is 2f45fe860d00990e79e13250251c1dde633f1f89. Applying a patch is the recommended action to fix this issue."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en aardappel lobster hasta 2025.4. Afectada por este problema es la funci\u00f3n lobster::Parser::ParseStatements en la biblioteca dev/src/lobster/parser.h del componente Parsing. La manipulaci\u00f3n conduce a corrupci\u00f3n de memoria. El ataque solo puede ser realizado desde un entorno local. El exploit ha sido divulgado al p\u00fablico y puede ser usado. El identificador del parche es 2f45fe860d00990e79e13250251c1dde633f1f89. Aplicar un parche es la acci\u00f3n recomendada para solucionar este problema."}], "id": "CVE-2026-2259", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 1.7, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-10T04:16:05.433", "references": [{"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://github.com/aardappel/lobster/"}, {"source": "cna@vuldb.com", "tags": ["Patch"], "url": "https://github.com/aardappel/lobster/commit/2f45fe860d00990e79e13250251c1dde633f1f89"}, {"source": "cna@vuldb.com", "tags": ["Patch", "Vendor Advisory", "Issue Tracking"], "url": "https://github.com/aardappel/lobster/issues/396"}, {"source": "cna@vuldb.com", "tags": ["Patch", "Vendor Advisory", "Issue Tracking"], "url": "https://github.com/aardappel/lobster/issues/396#issuecomment-3849019040"}, {"source": "cna@vuldb.com", "tags": ["Exploit"], "url": "https://github.com/oneafter/0204/blob/main/lob2/repro.lobster"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.345006"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.345006"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.753168"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "cna@vuldb.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "calver", "value": "2025.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "calver", "value": "2025.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "calver", "value": "2025.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "calver", "value": "2025.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "calver", "value": "2025.4"}}], "product": "lobster", "vendor": "aardappel"}], "analysis": {"en": {"generated_at": "2026-04-18T12:55:45.690876+00:00", "value": {"mitigation_remediation": ["Apply the patch corresponding to commit 2f45fe860d00990e79e13250251c1dde633f1f89 to update the parser library", "Upgrade to a version of aardappel Lobster that includes the patch, such as 2025.5 or newer", "If a patch cannot be applied immediately, restrict the use of ParseStatements to trusted input or disable its invocation for untrusted data to mitigate exploitation risk"], "summary": {"action": "Apply Patch", "impact": "Local memory corruption"}, "threat_synthesis": {"affected_systems": "All releases of aardappel Lobster up to and including 2025.4 are affected. The vulnerability is documented in the component dev/src/lobster/parser.h and has been addressed by the commit 2f45fe860d00990e79e13250251c1dde633f1f89. Only versions distributed by the aardappel:lobster vendor before this patch are impacted.", "description_and_impact": "A flaw in the lobster::Parser::ParseStatements function of aardappel Lobster\u2019s parser component can corrupt memory by handling input size incorrectly. The misuse of a size parameter can overwrite adjacent data structures, leading to undefined behavior within the parser\u2019s process. The vulnerability is a classic memory corruption issue and may be triggered by malicious or malformed input fed to the parser.", "risk_and_exploitability": "The CVSS score of 4.8 signifies moderate severity, and the EPSS score indicates a very low probability of exploitation (less than 1%). The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local access to the system running the parser; there is no known remote attack vector. If successful, the memory corruption could allow an attacker to execute arbitrary code within the context of the local process that owns the parser."}}}}, "created": "2026-02-10T11:34:47.068282+00:00", "title": "Memory Corruption in aardappel Lobster Parser", "updated": "2026-04-18T13:00:08.759344+00:00", "vendors": ["aardappel", "aardappel$PRODUCT$lobster"]}