{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24820", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "state": "PUBLISHED", "assignerShortName": "GovTech CSG", "dateReserved": "2026-01-27T08:48:56.893Z", "datePublished": "2026-01-27T08:56:34.369Z", "dateUpdated": "2026-01-27T17:00:59.226Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/turanszkij/WickedEngine", "defaultStatus": "affected", "modules": ["WickedEngine/LUA"], "product": "WickedEngine", "programFiles": ["ldebug.c"], "vendor": "turanszkij", "versions": [{"lessThan": "0.71.705", "status": "affected", "version": "0", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Out-of-bounds Read vulnerability in turanszkij WickedEngine (WickedEngine/LUA modules).<p> This vulnerability is associated with program files <tt>ldebug.C</tt>.</p><p>This issue affects WickedEngine: before 0.71.705.</p>"}], "value": "Out-of-bounds Read vulnerability in turanszkij WickedEngine (WickedEngine/LUA modules). This vulnerability is associated with program files ldebug.C.\n\nThis issue affects WickedEngine: before 0.71.705."}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 5.1, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "AMBER", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/S:N/AU:Y/R:U/V:C/RE:L/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "LOW"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-01-27T08:56:34.369Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/turanszkij/WickedEngine/pull/1054"}], "source": {"discovery": "UNKNOWN"}, "title": "A stack overflow vulnerability in turanszkij/WickedEngine", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T17:00:49.764145Z", "id": "CVE-2026-24820", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T17:00:59.226Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24820", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T17:00:49.764145Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T17:00:55.539Z"}}], "cna": {"title": "A stack overflow vulnerability in turanszkij/WickedEngine", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "USER", "baseScore": 5.1, "Automatable": "YES", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/S:N/AU:Y/R:U/V:C/RE:L/U:Amber", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "AMBER", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "turanszkij", "modules": ["WickedEngine/LUA"], "product": "WickedEngine", "versions": [{"status": "affected", "version": "0", "lessThan": "0.71.705", "versionType": "git"}], "programFiles": ["ldebug.c"], "collectionURL": "https://github.com/turanszkij/WickedEngine", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/turanszkij/WickedEngine/pull/1054", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Out-of-bounds Read vulnerability in turanszkij WickedEngine (WickedEngine/LUA modules). This vulnerability is associated with program files ldebug.C.\n\nThis issue affects WickedEngine: before 0.71.705.", "supportingMedia": [{"type": "text/html", "value": "Out-of-bounds Read vulnerability in turanszkij WickedEngine (WickedEngine/LUA modules).<p> This vulnerability is associated with program files <tt>ldebug.C</tt>.</p><p>This issue affects WickedEngine: before 0.71.705.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-01-27T08:56:34.369Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24820", "state": "PUBLISHED", "dateUpdated": "2026-01-27T17:00:59.226Z", "dateReserved": "2026-01-27T08:48:56.893Z", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "datePublished": "2026-01-27T08:56:34.369Z", "assignerShortName": "GovTech CSG"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Out-of-bounds Read vulnerability in turanszkij WickedEngine (WickedEngine/LUA modules). This vulnerability is associated with program files ldebug.C.\n\nThis issue affects WickedEngine: before 0.71.705."}, {"lang": "es", "value": "Vulnerabilidad de lectura fuera de l\u00edmites en turanszkij WickedEngine (m\u00f3dulos WickedEngine/LUA). Esta vulnerabilidad est\u00e1 asociada con los archivos de programa ldebug.C.\n\nEste problema afecta a WickedEngine: anterior a 0.71.705."}], "id": "CVE-2026-24820", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "AMBER", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:L/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "LOW"}, "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}, "published": "2026-01-27T09:15:52.663", "references": [{"source": "cve_disclosure@tech.gov.sg", "url": "https://github.com/turanszkij/WickedEngine/pull/1054"}], "sourceIdentifier": "cve_disclosure@tech.gov.sg", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T18:48:03.514588+00:00", "value": {"mitigation_remediation": ["Upgrade WickedEngine to 0.71.705 or newer to remove the flaw.", "If the ldebug.C module is not required, disable or delete it to reduce attack surface.", "Monitor logs for abnormal memory reads that may indicate attempted exploitation."], "summary": {"action": "Update Engine", "impact": "Out-of-bounds Read"}, "threat_synthesis": {"affected_systems": "WickedEngine from vendor turanszkij is affected when the installed version is earlier than 0.71.705. The issue surfaces in the engine\u2019s LUA modules, specifically when loading or executing the ldebug.C file. Versions v0.71.704 and below are vulnerable; upgrading to v0.71.705 or later removes the flaw.", "description_and_impact": "Based on the description, the vulnerability involves an out-of-bounds read triggered by the ldebug.C module in WickedEngine. Based on the description, it is inferred that the vulnerability does not allow code execution or denial of service; the impact is limited to the potential exposure of private data from memory. The weakness is classified as CWE-125, an out-of-bounds read, which may lead to leakage of sensitive information in systems that process untrusted input. The CVSS score of 5.1 indicates a moderate security impact with potential confidentiality concerns for applications running the vulnerable engine.", "risk_and_exploitability": "Based on the description, the likely attack vector is local or application-level access to the engine. The CVSS base score of 5.1 reflects moderate severity, while the EPSS score of less than 1% shows a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting no confirmed active exploitation. An attacker would need local or application-level access to the engine to trigger the read; remote exploitation is unlikely without additional vulnerabilities. The risk is primarily data exposure rather than privilege escalation or disruption."}}}}, "created": "2026-01-27T20:17:18.952801+00:00", "updated": "2026-04-18T19:00:08.026340+00:00", "vendors": ["turanszkij", "turanszkij$PRODUCT$wickedengine"]}