{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24807", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "state": "PUBLISHED", "assignerShortName": "GovTech CSG", "dateReserved": "2026-01-27T08:39:10.281Z", "datePublished": "2026-01-27T08:43:51.077Z", "dateUpdated": "2026-05-06T16:58:44.740Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/liuyueyi/quick-media", "defaultStatus": "unaffected", "modules": ["plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/util"], "product": "quick-media", "programFiles": ["SeekableOutputStream.java"], "vendor": "liuyueyi", "versions": [{"lessThan": "v1.0", "status": "affected", "version": "0", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Verification of Cryptographic Signature vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/util modules).<p> This vulnerability is associated with program files <tt>SeekableOutputStream.Java</tt>.</p><p>This issue affects quick-media: before v1.0.</p>"}], "value": "Improper Verification of Cryptographic Signature vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/util modules). This vulnerability is associated with program files SeekableOutputStream.Java.\n\nThis issue affects quick-media: before v1.0."}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/S:N/AU:Y/R:U/V:C/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "MODERATE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "description": "CWE-347 Improper Verification of Cryptographic Signature", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-01-27T08:43:51.077Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/liuyueyi/quick-media/pull/123"}], "source": {"discovery": "UNKNOWN"}, "title": "Buffer Overflow Vulnerability in liuyueyi/quick-media", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T20:45:19.356416Z", "id": "CVE-2026-24807", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T20:45:28.314Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-05-06T16:58:44.740Z"}, "references": [{"url": "https://github.com/liuyueyi/quick-media/pull/123#issuecomment-4305589308"}, {"url": "https://github.com/css4j/echosvg/discussions/137"}, {"url": "https://github.com/github/advisory-database/pull/7438"}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/liuyueyi/quick-media/pull/123#issuecomment-4305589308"}, {"url": "https://github.com/css4j/echosvg/discussions/137"}, {"url": "https://github.com/github/advisory-database/pull/7438"}], "x_generator": {"engine": "ADPogram 0.0.1"}, "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-05-06T16:58:44.740Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24807", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T20:45:19.356416Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T20:45:24.654Z"}}], "cna": {"title": "Buffer Overflow Vulnerability in liuyueyi/quick-media", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "USER", "baseScore": 5.3, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/S:N/AU:Y/R:U/V:C/RE:M/U:Amber", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "AMBER", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "liuyueyi", "modules": ["plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/util"], "product": "quick-media", "versions": [{"status": "affected", "version": "0", "lessThan": "v1.0", "versionType": "git"}], "programFiles": ["SeekableOutputStream.java"], "collectionURL": "https://github.com/liuyueyi/quick-media", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/liuyueyi/quick-media/pull/123", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Verification of Cryptographic Signature vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/util modules). This vulnerability is associated with program files SeekableOutputStream.Java.\n\nThis issue affects quick-media: before v1.0.", "supportingMedia": [{"type": "text/html", "value": "Improper Verification of Cryptographic Signature vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/util modules).<p> This vulnerability is associated with program files <tt>SeekableOutputStream.Java</tt>.</p><p>This issue affects quick-media: before v1.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "CWE-347 Improper Verification of Cryptographic Signature"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-01-27T08:43:51.077Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24807", "state": "PUBLISHED", "dateUpdated": "2026-05-06T16:58:44.740Z", "dateReserved": "2026-01-27T08:39:10.281Z", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "datePublished": "2026-01-27T08:43:51.077Z", "assignerShortName": "GovTech CSG"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Verification of Cryptographic Signature vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/util modules). This vulnerability is associated with program files SeekableOutputStream.Java.\n\nThis issue affects quick-media: before v1.0."}, {"lang": "es", "value": "Vulnerabilidad de Verificaci\u00f3n Incorrecta de Firma Criptogr\u00e1fica en liuyueyi quick-media (m\u00f3dulos plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/util). Esta vulnerabilidad est\u00e1 asociada con los archivos de programa SeekableOutputStream.Java.\n\nEste problema afecta a quick-media: antes de la v1.0."}], "id": "CVE-2026-24807", "lastModified": "2026-05-06T17:16:22.340", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "MODERATE"}, "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}, "published": "2026-01-27T09:15:50.890", "references": [{"source": "cve_disclosure@tech.gov.sg", "url": "https://github.com/liuyueyi/quick-media/pull/123"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/css4j/echosvg/discussions/137"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/github/advisory-database/pull/7438"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/liuyueyi/quick-media/pull/123#issuecomment-4305589308"}], "sourceIdentifier": "cve_disclosure@tech.gov.sg", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T02:24:04.184739+00:00", "value": {"mitigation_remediation": ["Upgrade to quick\u2011media version 1.0 or newer, which contains the fixed signature verification logic.", "If an immediate upgrade is not feasible, limit the SVG plugin to trusted content sources and enforce external signature validation to mitigate the bypass risk.", "Disable the SVG plugin in the application's configuration until a patch that addresses the signature verification flaw is applied."], "summary": {"action": "Apply Patch", "impact": "Signature Verification Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts all releases of liuyueyi quick\u2011media before version 1.0, specifically the modules under plugins/svg-plugin/batik\u2011codec\u2011fix/src/main/java/org/apache/batik/ext/awt/image/codec/util that reference SeekableOutputStream.Java.", "description_and_impact": "Improper verification of cryptographic signatures in the SVG plugin of quick\u2011media allows malicious actors to supply forged signed content that the application will accept as valid. This signature\u2011bypass flaw (CWE\u2011347) can undermine the integrity guarantees of the system and potentially lead to unauthorized actions such as code execution or privilege escalation.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, while an EPSS score of less than 1% suggests a low current likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves processing specially crafted SVG files or other signed data that can be supplied by an attacker, leading the application to accept and act upon forged inputs."}}}}, "created": "2026-01-27T20:17:06.814574+00:00", "updated": "2026-04-18T02:30:15.865724+00:00", "vendors": ["liuyueyi", "liuyueyi$PRODUCT$quick-media"]}