Description
HNB Organizer 1.9.18-10 contains a local buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an oversized argument to the -rc command-line parameter. Attackers can craft a malicious input string exceeding 108 bytes containing shellcode and a return address to overwrite the stack and achieve code execution.
Published: 2026-03-28
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Arbitrary Code Execution
Action: Immediate Patch
AI Analysis

Impact

HNB Organizer 1.9.18-10 contains a local buffer overflow that is triggered by the -rc command‑line parameter. When an attacker supplies an argument longer than 108 bytes, the string is copied into a fixed‑size buffer on the stack, leading to an overwrite of the return address. This allows the attacker to place shellcode and a forged address on the stack, so the program can be redirected to execute arbitrary code. The vulnerability can be leveraged by any user with local access to the system, giving the attacker control over the application_process and potentially the underlying operating system depending on privileges.

Affected Systems

The issue affects the HNB Organizer software, provided by HNB, specifically version 1.9.18-10 of the Hierarchical Notebook project. No other product or version information is listed in the CVE record.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity, but the EPSS score of less than 1 percent suggests that exploitation is currently rare and there are no active widespread attacks documented. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local access to the target machine, so it is a local attack vector. Because it is a stack buffer overflow with controllable return address, attackers can achieve remote code execution if they can supply a crafted input through the command line.

Generated by OpenCVE AI on April 8, 2026 at 21:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest HNB Organizer release that contains the buffer‑overflow patch.
  • If an upgrade is not immediately possible, restrict local user permissions to the HNB application directory or run the application under a non‑privileged account.
  • Monitor local system logs for suspicious command-line activity that supplies the -rc parameter with unusually long arguments.
  • Check the vendor’s website or the SourceForge project page for any unofficial patches or security notifications.

Generated by OpenCVE AI on April 8, 2026 at 21:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Hnb Project
Hnb Project hierarchical Notebook
CPEs cpe:2.3:a:hnb_project:hierarchical_notebook:*:*:*:*:*:*:*:*
Vendors & Products Hnb Project
Hnb Project hierarchical Notebook

Mon, 30 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Hnb
Hnb hnb
Vendors & Products Hnb
Hnb hnb

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description HNB Organizer 1.9.18-10 contains a local buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an oversized argument to the -rc command-line parameter. Attackers can craft a malicious input string exceeding 108 bytes containing shellcode and a return address to overwrite the stack and achieve code execution.
Title HNB Organizer 1.9.18-10 Local Buffer Overflow via -rc Parameter
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Hnb Hnb
Hnb Project Hierarchical Notebook
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T18:08:37.705Z

Reserved: 2026-03-28T11:38:52.207Z

Link: CVE-2016-20045

cve-icon Vulnrichment

Updated: 2026-03-30T18:08:33.923Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-28T12:16:00.630

Modified: 2026-04-08T20:41:56.020

Link: CVE-2016-20045

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:29:33Z

Weaknesses