{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24818", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "state": "PUBLISHED", "assignerShortName": "GovTech CSG", "dateReserved": "2026-01-27T08:48:56.893Z", "datePublished": "2026-01-27T08:54:30.701Z", "dateUpdated": "2026-01-27T20:36:09.549Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/praydog/UEVR", "defaultStatus": "unaffected", "modules": ["dependencies/lua/src"], "product": "UEVR", "programFiles": ["lparser.c"], "vendor": "praydog", "versions": [{"lessThan": "1.05", "status": "affected", "version": "0", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Out-of-bounds Read vulnerability in praydog UEVR (dependencies/lua/src modules).<p> This vulnerability is associated with program files <tt>lparser.C</tt>.</p><p>This issue affects UEVR: before 1.05.</p>"}], "value": "Out-of-bounds Read vulnerability in praydog UEVR (dependencies/lua/src modules). This vulnerability is associated with program files lparser.C.\n\nThis issue affects UEVR: before 1.05."}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L/S:N/AU:Y/R:U/V:D/RE:L/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "LOW"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-01-27T08:54:30.701Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/praydog/UEVR/pull/337"}], "source": {"discovery": "UNKNOWN"}, "title": "A heap-based buffer over-read that might affect a system that compiles untrusted Lua code in praydog/UEVR", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T20:31:50.579733Z", "id": "CVE-2026-24818", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T20:36:09.549Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24818", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T20:31:50.579733Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T20:36:06.110Z"}}], "cna": {"title": "A heap-based buffer over-read that might affect a system that compiles untrusted Lua code in praydog/UEVR", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "USER", "baseScore": 6.9, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L/S:N/AU:Y/R:U/V:D/RE:L/U:Amber", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "praydog", "modules": ["dependencies/lua/src"], "product": "UEVR", "versions": [{"status": "affected", "version": "0", "lessThan": "1.05", "versionType": "git"}], "programFiles": ["lparser.c"], "collectionURL": "https://github.com/praydog/UEVR", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/praydog/UEVR/pull/337", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Out-of-bounds Read vulnerability in praydog UEVR (dependencies/lua/src modules). This vulnerability is associated with program files lparser.C.\n\nThis issue affects UEVR: before 1.05.", "supportingMedia": [{"type": "text/html", "value": "Out-of-bounds Read vulnerability in praydog UEVR (dependencies/lua/src modules).<p> This vulnerability is associated with program files <tt>lparser.C</tt>.</p><p>This issue affects UEVR: before 1.05.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-01-27T08:54:30.701Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24818", "state": "PUBLISHED", "dateUpdated": "2026-01-27T20:36:09.549Z", "dateReserved": "2026-01-27T08:48:56.893Z", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "datePublished": "2026-01-27T08:54:30.701Z", "assignerShortName": "GovTech CSG"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Out-of-bounds Read vulnerability in praydog UEVR (dependencies/lua/src modules). This vulnerability is associated with program files lparser.C.\n\nThis issue affects UEVR: before 1.05."}, {"lang": "es", "value": "Vulnerabilidad de lectura fuera de l\u00edmites en praydog UEVR (m\u00f3dulos dependencies/lua/src). Esta vulnerabilidad est\u00e1 asociada con los archivos de programa lparser.C.\n\nEste problema afecta a UEVR: antes de la versi\u00f3n 1.05."}], "id": "CVE-2026-24818", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:L/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "LOW"}, "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}, "published": "2026-01-27T09:15:52.383", "references": [{"source": "cve_disclosure@tech.gov.sg", "url": "https://github.com/praydog/UEVR/pull/337"}], "sourceIdentifier": "cve_disclosure@tech.gov.sg", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T14:53:39.920366+00:00", "value": {"mitigation_remediation": ["Upgrade to praydog UEVR version 1.05 or later", "Disable execution of untrusted Lua code until the patch is applied", "Validate Lua script inputs to prevent malformed data"], "summary": {"action": "Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The flaw is present in all versions of praydog UEVR prior to 1.05. Upgrading to version 1.05 or later removes the affected code path and mitigates the read underflow.", "description_and_impact": "A heap-based buffer over-read in praydog's UEVR system occurs in the file lparser.C when compiling untrusted Lua code. The vulnerability allows an attacker to read memory beyond the intended buffer, potentially exposing sensitive information stored in adjacent memory areas. This flaw is classified as CWE-125 and results in a moderate CVSS score of 6.9, indicating that while it does not provide direct code execution, it can leak confidential data that may aid further attacks.", "risk_and_exploitability": "The EPSS score for this vulnerability is less than 1%, indicating a very low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector requires execution of untrusted Lua code within the UEVR environment; an attacker would need to provide specially crafted input that triggers the lparser.C over-read. The moderate CVSS score reflects the confidentiality impact rather than an integrity or availability breach."}}}}, "created": "2026-01-27T20:17:21.781079+00:00", "updated": "2026-04-18T15:00:03.446104+00:00", "vendors": ["praydog", "praydog$PRODUCT$uevr"]}