Description
Valentina Studio 9.0.4 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Host field. Attackers can trigger the crash by pasting a 256-byte buffer of repeated characters into the Host parameter during server connection attempts.
Published: 2026-03-30
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

Valentina Studio 9.0.4 contains a local denial of service vulnerability caused by a buffer overflow in the Host field when establishing a server connection. An attacker who can enter a 256‑byte string of repeated characters can force the application to crash, disrupting availability. This weakness is identified as CWE‑466: Buffer Overflow.

Affected Systems

The flaw affects the Valentina-Db suite’s Valentina Studio, specifically version 9.0.4. The issue is local, requiring an attacker to have access to the user’s desktop or a compromised session to supply the malicious Host value.

Risk and Exploitability

The CVSS score of 6.9 indicates medium severity for a local two‑party attacker. The EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild. Valentina Studio is not listed in the CISA KEV catalog, and the attack vector is inferred to be local, as it requires direct interaction with the application.

Generated by OpenCVE AI on April 8, 2026 at 20:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Valentina Studio to a version that includes the host‑parameter handling fix, such as 9.0.5 or newer.
  • Verify that the Host field accepts only valid values and that the application terminates gracefully with malformed input after the upgrade.

Generated by OpenCVE AI on April 8, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Valentina-db studio
CPEs cpe:2.3:a:valentina-db:studio:*:*:*:*:*:*:*:*
Vendors & Products Valentina-db studio

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Valentina-db
Valentina-db valentina Studio
Vendors & Products Valentina-db
Valentina-db valentina Studio

Mon, 30 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Description Valentina Studio 9.0.4 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Host field. Attackers can trigger the crash by pasting a 256-byte buffer of repeated characters into the Host parameter during server connection attempts.
Title Valentina Studio 9.0.4 Denial of Service via Host Parameter
Weaknesses CWE-466
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Valentina-db Studio Valentina Studio
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T13:39:24.628Z

Reserved: 2026-03-30T10:53:51.466Z

Link: CVE-2018-25227

cve-icon Vulnrichment

Updated: 2026-03-30T13:39:21.436Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T12:16:15.940

Modified: 2026-04-08T18:31:01.117

Link: CVE-2018-25227

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:29:27Z

Weaknesses