<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0">
  <channel>
    <title>Most recent sightings.</title>
    <link>https://vulnerability.circl.lu</link>
    <description>Contains only the most 10 recent sightings.</description>
    <docs>http://www.rssboard.org/rss-specification</docs>
    <generator>python-feedgen</generator>
    <language>en</language>
    <lastBuildDate>Fri, 17 Jul 2026 06:24:12 +0000</lastBuildDate>
    <item>
      <title>ba0bca7e-699c-42df-b4c4-209a7782ad57</title>
      <link>https://vulnerability.circl.lu/sighting/ba0bca7e-699c-42df-b4c4-209a7782ad57/export</link>
      <description>{"uuid": "ba0bca7e-699c-42df-b4c4-209a7782ad57", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-51807", "type": "seen", "source": "https://bsky.app/profile/stackflag.bsky.social/post/3mqp2sskhc32c", "content": "CVE-2026-51807\nOpenHTJ2K, a Java library for handling JPEG 2000 files, has a security issue that could allow an attacker to run unauthorized code on a system by sending it a specially crafted file. This is a serious issue\u2026\n\nToo many irrelevant or confusing CVEs? Use stackflag.com\n\n#CVE #infosec", "creation_timestamp": "2026-07-15T15:44:06.440319Z"}</description>
      <content:encoded>{"uuid": "ba0bca7e-699c-42df-b4c4-209a7782ad57", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-51807", "type": "seen", "source": "https://bsky.app/profile/stackflag.bsky.social/post/3mqp2sskhc32c", "content": "CVE-2026-51807\nOpenHTJ2K, a Java library for handling JPEG 2000 files, has a security issue that could allow an attacker to run unauthorized code on a system by sending it a specially crafted file. This is a serious issue\u2026\n\nToo many irrelevant or confusing CVEs? Use stackflag.com\n\n#CVE #infosec", "creation_timestamp": "2026-07-15T15:44:06.440319Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/ba0bca7e-699c-42df-b4c4-209a7782ad57/export</guid>
      <pubDate>Wed, 15 Jul 2026 15:44:06 +0000</pubDate>
    </item>
    <item>
      <title>99954543-ef08-4519-b6ba-d24afd0d73d1</title>
      <link>https://vulnerability.circl.lu/sighting/99954543-ef08-4519-b6ba-d24afd0d73d1/export</link>
      <description>{"uuid": "99954543-ef08-4519-b6ba-d24afd0d73d1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-51807", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mqnfu3brq72t", "content": "CVE-2026-51807 - OpenHTJ2K Buffer Overflow Vulnerability\nCVE ID : CVE-2026-51807\n \n Published : July 14, 2026, 11:17 p.m. | 14\u00a0minutes ago\n \n Description : Buffer Overflow vulnerability in OpenHTJ2K v.0.18.4 and before allows an attacker to execute arbitrary code via the j2k_p...", "creation_timestamp": "2026-07-14T23:56:20.893591Z"}</description>
      <content:encoded>{"uuid": "99954543-ef08-4519-b6ba-d24afd0d73d1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-51807", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mqnfu3brq72t", "content": "CVE-2026-51807 - OpenHTJ2K Buffer Overflow Vulnerability\nCVE ID : CVE-2026-51807\n \n Published : July 14, 2026, 11:17 p.m. | 14\u00a0minutes ago\n \n Description : Buffer Overflow vulnerability in OpenHTJ2K v.0.18.4 and before allows an attacker to execute arbitrary code via the j2k_p...", "creation_timestamp": "2026-07-14T23:56:20.893591Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/99954543-ef08-4519-b6ba-d24afd0d73d1/export</guid>
      <pubDate>Tue, 14 Jul 2026 23:56:20 +0000</pubDate>
    </item>
    <item>
      <title>107e1a3c-415b-48d5-8473-1a371d7cdb6f</title>
      <link>https://vulnerability.circl.lu/sighting/107e1a3c-415b-48d5-8473-1a371d7cdb6f/export</link>
      <description>{"uuid": "107e1a3c-415b-48d5-8473-1a371d7cdb6f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-51807", "type": "seen", "source": "https://gist.github.com/5asever40-a11y/dcfa867b099a7782ad72ab7981427765", "content": "# CVE-2026-51807\n\nHeap buffer overflow in OpenHTJ2K PPM packet header parsing\nallows heap out-of-bounds write via a crafted J2K/JP2 codestream\nor malicious JPIP/JPP response.\n\n------------------------------------------\n\n[Vulnerability Type]\nHeap Buffer Overflow\nOut-of-Bounds Write\n\n------------------------------------------\n\n[Vendor of Product]\nOpenHTJ2K\n\n------------------------------------------\n\n[Affected Product Code Base]\nOpenHTJ2K versions before v0.18.4\n\nFixed version: v0.18.4\nFix commit/tag: f77c1e9 / v0.18.4\n\n------------------------------------------\n\n[Affected Component]\nsource/core/coding/coding_units.cpp\n\nj2k_precinct_subband::parse_packet_header()\nj2k_codeblock::pass_length[128]\n\n------------------------------------------\n\n[Root Cause]\nThe PPM packet header parser updates the fixed-size\nj2k_codeblock::pass_length[128] array while increasing\nnum_passes, but vulnerable versions did not sufficiently\nvalidate that the updated number of coding passes stayed\nwithin the 128-entry pass_length array.\n\nWhen crafted packet header data causes num_passes and\nsegment_passes to exceed the pass_length capacity, the parser\nwrites beyond pass_length[128], resulting in heap memory\ncorruption.\n\n------------------------------------------\n\n[Attack Vectors]\nAn attacker can trigger the vulnerability by providing:\n\n1. A crafted J2K/JP2 codestream processed by the decoder or JPIP server.\n2. A malicious JPIP/JPP server response consumed by an OpenHTJ2K client.\n\nThe client-response path was reproduced by feeding malicious\nJPP response bytes through JPIP stream parsing, databin\nreassembly, and the OpenHTJ2K decoder path until\nj2k_precinct_subband::parse_packet_header() performed the\nout-of-bounds heap write.\n\n------------------------------------------\n\n[Impact]\nHeap memory corruption\n\nConfirmed impact:\n- Heap out-of-bounds write\n- Crash / denial of service\n- Neighboring j2k_codeblock object state corruption in crafted layouts\n- Later dereference of corrupted decoder state\n\nPotential impact:\n- Further exploitation may be possible depending on heap layout,\n  allocator behavior, ASLR, and availability of a stronger write\n  primitive.\n\nStable arbitrary write or RCE was investigated but not confirmed\nby the reporters.\n\n------------------------------------------\n\n[Fix]\nOpenHTJ2K v0.18.4 added kMaxCodingPasses = 128 and introduced\nbounds checks before updating num_passes in the vulnerable packet\nheader parsing paths.\n\nThe fix rejects malformed inputs before pass_length[128] can be\nwritten out of bounds.\n\n------------------------------------------\n\n[Reference]\nhttps://github.com/osamu620/OpenHTJ2K/releases/tag/v0.18.4\nhttps://github.com/osamu620/OpenHTJ2K/releases\n\n------------------------------------------\n\n[Discoverer]\nKANG DAEUN (SANGMYUNG UNIVERSITY, https://github.com/Daeun2046)\nOH HAN GUEL (SANGMYUNG UNIVERSITY, https://github.com/5asever40-a11y)\n", "creation_timestamp": "2026-07-10T12:26:14.303646Z"}</description>
      <content:encoded>{"uuid": "107e1a3c-415b-48d5-8473-1a371d7cdb6f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-51807", "type": "seen", "source": "https://gist.github.com/5asever40-a11y/dcfa867b099a7782ad72ab7981427765", "content": "# CVE-2026-51807\n\nHeap buffer overflow in OpenHTJ2K PPM packet header parsing\nallows heap out-of-bounds write via a crafted J2K/JP2 codestream\nor malicious JPIP/JPP response.\n\n------------------------------------------\n\n[Vulnerability Type]\nHeap Buffer Overflow\nOut-of-Bounds Write\n\n------------------------------------------\n\n[Vendor of Product]\nOpenHTJ2K\n\n------------------------------------------\n\n[Affected Product Code Base]\nOpenHTJ2K versions before v0.18.4\n\nFixed version: v0.18.4\nFix commit/tag: f77c1e9 / v0.18.4\n\n------------------------------------------\n\n[Affected Component]\nsource/core/coding/coding_units.cpp\n\nj2k_precinct_subband::parse_packet_header()\nj2k_codeblock::pass_length[128]\n\n------------------------------------------\n\n[Root Cause]\nThe PPM packet header parser updates the fixed-size\nj2k_codeblock::pass_length[128] array while increasing\nnum_passes, but vulnerable versions did not sufficiently\nvalidate that the updated number of coding passes stayed\nwithin the 128-entry pass_length array.\n\nWhen crafted packet header data causes num_passes and\nsegment_passes to exceed the pass_length capacity, the parser\nwrites beyond pass_length[128], resulting in heap memory\ncorruption.\n\n------------------------------------------\n\n[Attack Vectors]\nAn attacker can trigger the vulnerability by providing:\n\n1. A crafted J2K/JP2 codestream processed by the decoder or JPIP server.\n2. A malicious JPIP/JPP server response consumed by an OpenHTJ2K client.\n\nThe client-response path was reproduced by feeding malicious\nJPP response bytes through JPIP stream parsing, databin\nreassembly, and the OpenHTJ2K decoder path until\nj2k_precinct_subband::parse_packet_header() performed the\nout-of-bounds heap write.\n\n------------------------------------------\n\n[Impact]\nHeap memory corruption\n\nConfirmed impact:\n- Heap out-of-bounds write\n- Crash / denial of service\n- Neighboring j2k_codeblock object state corruption in crafted layouts\n- Later dereference of corrupted decoder state\n\nPotential impact:\n- Further exploitation may be possible depending on heap layout,\n  allocator behavior, ASLR, and availability of a stronger write\n  primitive.\n\nStable arbitrary write or RCE was investigated but not confirmed\nby the reporters.\n\n------------------------------------------\n\n[Fix]\nOpenHTJ2K v0.18.4 added kMaxCodingPasses = 128 and introduced\nbounds checks before updating num_passes in the vulnerable packet\nheader parsing paths.\n\nThe fix rejects malformed inputs before pass_length[128] can be\nwritten out of bounds.\n\n------------------------------------------\n\n[Reference]\nhttps://github.com/osamu620/OpenHTJ2K/releases/tag/v0.18.4\nhttps://github.com/osamu620/OpenHTJ2K/releases\n\n------------------------------------------\n\n[Discoverer]\nKANG DAEUN (SANGMYUNG UNIVERSITY, https://github.com/Daeun2046)\nOH HAN GUEL (SANGMYUNG UNIVERSITY, https://github.com/5asever40-a11y)\n", "creation_timestamp": "2026-07-10T12:26:14.303646Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/107e1a3c-415b-48d5-8473-1a371d7cdb6f/export</guid>
      <pubDate>Fri, 10 Jul 2026 12:26:14 +0000</pubDate>
    </item>
  </channel>
</rss>
