{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4739", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "state": "PUBLISHED", "assignerShortName": "GovTech CSG", "dateReserved": "2026-03-24T03:19:16.665Z", "datePublished": "2026-03-24T03:19:28.818Z", "dateUpdated": "2026-03-24T14:34:50.925Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-03-24T03:19:28.818Z"}, "title": "Integer overflow vulnerabilities in InsightSoftwareConsortium/ITK", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-190", "description": "CWE-190 Integer Overflow or Wraparound", "type": "CWE"}]}], "affected": [{"vendor": "InsightSoftwareConsortium", "product": "ITK", "collectionURL": "https://github.com/InsightSoftwareConsortium/ITK", "modules": ["\u200eModules/ThirdParty/Expat/src/expat"], "versions": [{"status": "affected", "version": "0", "lessThan": "2.7.1", "versionType": "git"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Integer Overflow or Wraparound vulnerability in InsightSoftwareConsortium ITK (\u200eModules/ThirdParty/Expat/src/expat modules).This issue affects ITK: before 2.7.1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Integer Overflow or Wraparound vulnerability in InsightSoftwareConsortium ITK (\u200eModules/ThirdParty/Expat/src/expat modules).<p>This issue affects ITK: before 2.7.1.</p>"}]}], "references": [{"url": "https://github.com/InsightSoftwareConsortium/ITK/pull/5351", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "ATTACKED", "Safety": "PRESENT", "Automatable": "YES", "Recovery": "USER", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "AMBER", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.4, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/S:P/AU:Y/R:U/V:C/RE:M/U:Amber"}}], "credits": [{"lang": "en", "value": "TITAN Team (titancaproject@gmail.com)", "type": "reporter"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T14:34:37.467295Z", "id": "CVE-2026-4739", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:34:50.925Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4739", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T14:34:37.467295Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:34:48.037Z"}}], "cna": {"title": "Integer overflow vulnerabilities in InsightSoftwareConsortium/ITK", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "PRESENT", "version": "4.0", "Recovery": "USER", "baseScore": 9.4, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/S:P/AU:Y/R:U/V:C/RE:M/U:Amber", "exploitMaturity": "ATTACKED", "providerUrgency": "AMBER", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "InsightSoftwareConsortium", "modules": ["\u200eModules/ThirdParty/Expat/src/expat"], "product": "ITK", "versions": [{"status": "affected", "version": "0", "lessThan": "2.7.1", "versionType": "git"}], "collectionURL": "https://github.com/InsightSoftwareConsortium/ITK", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/InsightSoftwareConsortium/ITK/pull/5351", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Integer Overflow or Wraparound vulnerability in InsightSoftwareConsortium ITK (\u200eModules/ThirdParty/Expat/src/expat modules).This issue affects ITK: before 2.7.1.", "supportingMedia": [{"type": "text/html", "value": "Integer Overflow or Wraparound vulnerability in InsightSoftwareConsortium ITK (\u200eModules/ThirdParty/Expat/src/expat modules).<p>This issue affects ITK: before 2.7.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190 Integer Overflow or Wraparound"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-03-24T03:19:28.818Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4739", "state": "PUBLISHED", "dateUpdated": "2026-03-24T14:34:50.925Z", "dateReserved": "2026-03-24T03:19:16.665Z", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "datePublished": "2026-03-24T03:19:28.818Z", "assignerShortName": "GovTech CSG"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Integer Overflow or Wraparound vulnerability in InsightSoftwareConsortium ITK (\u200eModules/ThirdParty/Expat/src/expat modules).This issue affects ITK: before 2.7.1."}, {"lang": "es", "value": "Vulnerabilidad de desbordamiento de entero o ajuste circular en InsightSoftwareConsortium ITK (m\u00f3dulos ?Modules/ThirdParty/Expat/src/expat). Este problema afecta a ITK: antes de 2.7.1."}], "id": "CVE-2026-4739", "lastModified": "2026-05-05T20:38:41.080", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "USER", "Safety": "PRESENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "ATTACKED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}, "published": "2026-03-24T04:17:29.193", "references": [{"source": "cve_disclosure@tech.gov.sg", "url": "https://github.com/InsightSoftwareConsortium/ITK/pull/5351"}], "sourceIdentifier": "cve_disclosure@tech.gov.sg", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.7.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ITK", "source": "cna", "vendor": "InsightSoftwareConsortium"}, "product": "itk", "vendor": "insightsoftwareconsortium"}], "analysis": {"en": {"generated_at": "2026-03-24T04:21:03.329759+00:00", "value": {"mitigation_remediation": ["Upgrade to ITK version 2.7.1 or later to resolve the integer overflow flaw."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerable component is present in all versions of InsightSoftwareConsortium ITK before 2.7.1. Users deploying older ITK releases should verify that their system uses a pre\u20112.7.1 version and consider updating to the supported release.", "description_and_impact": "This vulnerability is an integer overflow or wrap\u2011around in the Expat parser module of the InsightSoftwareConsortium ITK library. The overflow can lead to an out\u2011of\u2011bounds memory write when parsing certain data, which in turn may allow an attacker to execute arbitrary code and compromise the integrity and confidentiality of the application that uses ITK. The weakness is classified as CWE-190, a classic integer overflow flaw.", "risk_and_exploitability": "With a CVSS score of 9.4 the flaw is considered critical, placing it in the high\u2011threat category. While EPSS data is not available, the lack of any mitigation information in the CISA KEV catalogue implies that exploitation may still be possible in the wild. The attack likely requires the attacker to supply specially crafted data to the ITK parser, a scenario that can arise in any environment that processes untrusted input. The severity suggests the vulnerability can be exploited without user interaction and could lead to remote execute if the target application has sufficient privileges."}}}}, "created": "2026-03-24T10:29:13.771945+00:00", "updated": "2026-03-25T20:40:18.996315+00:00", "vendors": ["insightsoftwareconsortium", "insightsoftwareconsortium$PRODUCT$itk"]}