{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24874", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "state": "PUBLISHED", "assignerShortName": "GovTech CSG", "dateReserved": "2026-01-27T15:46:29.599Z", "datePublished": "2026-01-27T15:55:03.021Z", "dateUpdated": "2026-01-27T16:48:38.430Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "xray-monolith", "vendor": "themrdemonized", "versions": [{"lessThan": "2025.12.30", "status": "affected", "version": "0", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "finder", "value": "TITAN Team (titancaproject@gmail.com)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in themrdemonized xray-monolith.<p>This issue affects xray-monolith: before 2025.12.30.</p>"}], "value": "Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in themrdemonized xray-monolith.This issue affects xray-monolith: before 2025.12.30."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-843", "description": "CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-01-27T15:55:03.021Z"}, "references": [{"url": "https://github.com/themrdemonized/xray-monolith/pull/399"}], "source": {"discovery": "UNKNOWN"}, "title": "Type confusion in xray-monolith", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T16:42:37.657688Z", "id": "CVE-2026-24874", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T16:48:38.430Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24874", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-27T16:42:37.657688Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T16:48:32.284Z"}}], "cna": {"title": "Type confusion in xray-monolith", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "TITAN Team (titancaproject@gmail.com)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "themrdemonized", "product": "xray-monolith", "versions": [{"status": "affected", "version": "0", "lessThan": "2025.12.30", "versionType": "git"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/themrdemonized/xray-monolith/pull/399"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in themrdemonized xray-monolith.This issue affects xray-monolith: before 2025.12.30.", "supportingMedia": [{"type": "text/html", "value": "Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in themrdemonized xray-monolith.<p>This issue affects xray-monolith: before 2025.12.30.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-843", "description": "CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-01-27T15:55:03.021Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24874", "state": "PUBLISHED", "dateUpdated": "2026-01-27T16:48:38.430Z", "dateReserved": "2026-01-27T15:46:29.599Z", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "datePublished": "2026-01-27T15:55:03.021Z", "assignerShortName": "GovTech CSG"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in themrdemonized xray-monolith.This issue affects xray-monolith: before 2025.12.30."}, {"lang": "es", "value": "Vulnerabilidad de Acceso a Recurso Usando Tipo Incompatible ('Confusi\u00f3n de Tipos') en themrdemonized xray-monolith. Este problema afecta a xray-monolith: antes de 2025.12.30."}], "id": "CVE-2026-24874", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}, "published": "2026-01-27T16:16:36.880", "references": [{"source": "cve_disclosure@tech.gov.sg", "url": "https://github.com/themrdemonized/xray-monolith/pull/399"}], "sourceIdentifier": "cve_disclosure@tech.gov.sg", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-843"}], "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T20:10:45.912804+00:00", "value": {"mitigation_remediation": ["Upgrade the xray\u2011monolith component to version 2025.12.30 or later, as the fix for the type\u2011confusion flaw is included in that release.", "If an immediate upgrade is infeasible, isolate the service from untrusted networks by placing it behind a firewall or restricting it to an internal subnet, thereby limiting exposure.", "Apply strict runtime type validation or disable any unsafe type coercion within the application code to mitigate the underlying type\u2011confusion weakness identified by CWE\u2011843."], "summary": {"action": "Immediate Patch", "impact": "Memory Corruption"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to the xray\u2011monolith released by themrdemonized. Any deployment of the component prior to the 2025.12.30 release is considered affected; the CVE description does not enumerate additional minor revisions.", "description_and_impact": "The xray\u2011monolith component suffers a type\u2011confusion flaw where a value of one type is accessed using an incompatible type. Such misuse of type handling can corrupt memory, causing unexpected reads or writes that may undermine confidentiality, integrity, and availability if an attacker can trigger the behavior. The high severity score of 9.1 reflects the potential for deep compromise.", "risk_and_exploitability": "The CVSS score of 9.1 marks the flaw as critical. Its EPSS score is < 1%, indicating a low current exploitation probability, and it is not listed in the CISA KEV catalog. Based on the nature of a type\u2011confusion bug and the fact that the service is a network\u2011facing process, it is inferred that a remote attacker could potentially exploit the flaw via a client request, but no documented exploitation vector is provided at this time."}}}}, "created": "2026-01-28T12:22:34.257392+00:00", "updated": "2026-04-18T20:15:09.551172+00:00", "vendors": ["themrdemonized", "themrdemonized$PRODUCT$xray-monolith"]}