{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5037", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-27T16:23:50.496Z", "datePublished": "2026-03-29T08:45:11.533Z", "dateUpdated": "2026-04-01T14:32:02.218Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-29T08:45:11.533Z"}, "title": "mxml mxmlIndexNew mxml-index.c index_sort stack-based overflow", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-121", "lang": "en", "description": "Stack-based Buffer Overflow"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "Memory Corruption"}]}], "affected": [{"vendor": "n/a", "product": "mxml", "versions": [{"version": "4.0.0", "status": "affected"}, {"version": "4.0.1", "status": "affected"}, {"version": "4.0.2", "status": "affected"}, {"version": "4.0.3", "status": "affected"}, {"version": "4.0.4", "status": "affected"}], "modules": ["mxmlIndexNew"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in mxml up to 4.0.4. This issue affects the function index_sort of the file mxml-index.c of the component mxmlIndexNew. Executing a manipulation of the argument tempr can lead to stack-based buffer overflow. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called 6e27354466092a1ac65601e01ce6708710bb9fa5. A patch should be applied to remediate this issue."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-03-27T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-27T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-27T17:28:55.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "MTHG (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/353963", "name": "VDB-353963 | mxml mxmlIndexNew mxml-index.c index_sort stack-based overflow", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/353963/cti", "name": "VDB-353963 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/778638", "name": "Submit #778638 | michaelrsweet mxml 4.0.4 Heap-based Buffer Overflow", "tags": ["third-party-advisory"]}, {"url": "https://github.com/michaelrsweet/mxml/issues/350", "tags": ["issue-tracking"]}, {"url": "https://github.com/michaelrsweet/mxml/issues/350#issuecomment-4051317229", "tags": ["issue-tracking"]}, {"url": "https://github.com/user-attachments/files/25934383/1.xml", "tags": ["exploit"]}, {"url": "https://github.com/michaelrsweet/mxml/commit/6e27354466092a1ac65601e01ce6708710bb9fa5", "tags": ["patch"]}], "tags": ["x_open-source"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T14:31:32.923342Z", "id": "CVE-2026-5037", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T14:32:02.218Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5037", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-27T16:23:50.496Z", "datePublished": "2026-03-29T08:45:11.533Z", "dateUpdated": "2026-04-01T14:32:02.218Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-29T08:45:11.533Z"}, "title": "mxml mxmlIndexNew mxml-index.c index_sort stack-based overflow", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-121", "lang": "en", "description": "Stack-based Buffer Overflow"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "Memory Corruption"}]}], "affected": [{"vendor": "n/a", "product": "mxml", "versions": [{"version": "4.0.0", "status": "affected"}, {"version": "4.0.1", "status": "affected"}, {"version": "4.0.2", "status": "affected"}, {"version": "4.0.3", "status": "affected"}, {"version": "4.0.4", "status": "affected"}], "modules": ["mxmlIndexNew"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in mxml up to 4.0.4. This issue affects the function index_sort of the file mxml-index.c of the component mxmlIndexNew. Executing a manipulation of the argument tempr can lead to stack-based buffer overflow. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called 6e27354466092a1ac65601e01ce6708710bb9fa5. A patch should be applied to remediate this issue."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-03-27T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-27T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-27T17:28:55.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "MTHG (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/353963", "name": "VDB-353963 | mxml mxmlIndexNew mxml-index.c index_sort stack-based overflow", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/353963/cti", "name": "VDB-353963 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/778638", "name": "Submit #778638 | michaelrsweet mxml 4.0.4 Heap-based Buffer Overflow", "tags": ["third-party-advisory"]}, {"url": "https://github.com/michaelrsweet/mxml/issues/350", "tags": ["issue-tracking"]}, {"url": "https://github.com/michaelrsweet/mxml/issues/350#issuecomment-4051317229", "tags": ["issue-tracking"]}, {"url": "https://github.com/user-attachments/files/25934383/1.xml", "tags": ["exploit"]}, {"url": "https://github.com/michaelrsweet/mxml/commit/6e27354466092a1ac65601e01ce6708710bb9fa5", "tags": ["patch"]}], "tags": ["x_open-source"]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5037", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T14:31:32.923342Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T14:31:58.351Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in mxml up to 4.0.4. This issue affects the function index_sort of the file mxml-index.c of the component mxmlIndexNew. Executing a manipulation of the argument tempr can lead to stack-based buffer overflow. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called 6e27354466092a1ac65601e01ce6708710bb9fa5. A patch should be applied to remediate this issue."}, {"lang": "es", "value": "Se determin\u00f3 una vulnerabilidad en mxml hasta la versi\u00f3n 4.0.4. Este problema afecta a la funci\u00f3n index_sort del archivo mxml-index.c del componente mxmlIndexNew. La ejecuci\u00f3n de una manipulaci\u00f3n del argumento tempr puede llevar a un desbordamiento de b\u00fafer basado en pila. El ataque est\u00e1 restringido a ejecuci\u00f3n local. El exploit ha sido divulgado p\u00fablicamente y puede ser utilizado. Este parche se llama 6e27354466092a1ac65601e01ce6708710bb9fa5. Debe aplicarse un parche para remediar este problema."}], "id": "CVE-2026-5037", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 1.7, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-29T09:15:56.340", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/michaelrsweet/mxml/commit/6e27354466092a1ac65601e01ce6708710bb9fa5"}, {"source": "cna@vuldb.com", "url": "https://github.com/michaelrsweet/mxml/issues/350"}, {"source": "cna@vuldb.com", "url": "https://github.com/michaelrsweet/mxml/issues/350#issuecomment-4051317229"}, {"source": "cna@vuldb.com", "url": "https://github.com/user-attachments/files/25934383/1.xml"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/778638"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/353963"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/353963/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.0.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.0.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.0.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.0.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.0.4"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}]}, "original": {"product": "mxml", "source": "cna", "vendor": "n/a"}, "product": "mxml", "vendor": "michaelrsweet"}], "analysis": {"en": {"generated_at": "2026-03-29T10:20:18.313964+00:00", "value": {"mitigation_remediation": ["Apply the patch from commit 6e27354466092a1ac65601e01ce6708710bb9fa5 or update mxml to a version newer than 4.0.4", "Verify that the updated library no longer contains the exploitable index_sort function", "If an update is not available, restrict local users from running affected applications or isolate the application in a sandboxed environment"], "summary": {"action": "Apply Patch", "impact": "Local Memory Corruption"}, "threat_synthesis": {"affected_systems": "The mxml library, version 4.0.4 and earlier, is affected. The vulnerability resides in the mxmlIndexNew component. No additional vendor or product information is supplied, and patch status is identified by commit 6e27354466092a1ac65601e01ce6708710bb9fa5.", "description_and_impact": "A stack\u2011based buffer overflow is triggered by a maliciously crafted value for the argument named \"tempr\" in the function index_sort within mxml-index.c of the mxml library. The flaw allows a local attacker to corrupt the stack, potentially causing a program crash or enabling local privilege escalation. The vulnerability is listed as CWE\u2011119 and CWE\u2011121, indicating a classic buffer overflow weakness. Because the flaw is confined to local execution, only an attacker able to run code on the affected system can exploit it, yet the impact could be severe if the process runs with elevated privileges.", "risk_and_exploitability": "The CVSS base score is 4.8, reflecting a Moderate severity with an Access Vector limited to local. The EPSS score is not provided, and the vulnerability is not listed in CISA\u2019s KEV catalog. An attacker must have local system access to execute the exploit, but the flaw has been publicly disclosed and demonstrated, raising the risk of exploitation in environments where mxml is deployed without an updated version."}}}}, "created": "2026-03-29T20:31:42.145318+00:00", "updated": "2026-03-30T06:58:32.496170+00:00", "vendors": ["michaelrsweet", "michaelrsweet$PRODUCT$mxml"]}