Description
VSCO 1.1.1.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting an excessively long string through the search functionality. Attackers can paste a buffer of 5000 characters into the search bar and navigate back to trigger an application crash.
Published: 2026-04-04
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

VSCO version 1.1.1.0 contains a flaw that lets a local attacker trigger a denial of service by entering an excessively long string into the search box. The application fails to validate the length of the search text and crashes when a buffer of 5000 characters is submitted, forcing the user to close and restart the program. This weakness falls under CWE‑1260 and affects only the availability of the app, not data confidentiality or integrity.

Affected Systems

The vulnerability is limited to the VSCO application released as version 1.1.1.0, as listed by the CNA. All installations of this build, running on Windows devices via the Microsoft Store, are susceptible. No earlier or later releases are known to be affected.

Risk and Exploitability

The CVSS score of 6.9 signals moderate to high severity, yet the EPSS score is unknown and the vulnerability is not in CISA’s KEV list, suggesting limited exploitation to date. The flaw requires local access or privileged use of the device; an attacker must have the ability to launch VSCO and enter a long string. The resulting crash merely halts the application, restoring functionality only after a restart, which makes it a moderate operational risk rather than a threat to data or system integrity.

Generated by OpenCVE AI on April 4, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade VSCO to the latest available version where the search input length check is fixed.
  • If an update cannot be applied immediately, refrain from using the search function and restart the application manually whenever a crash occurs.

Generated by OpenCVE AI on April 4, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Vsco
Vsco vsco
Vendors & Products Vsco
Vsco vsco

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
References

Sat, 04 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description Microsoft VSCO 1.1.1.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting an excessively long string through the search functionality. Attackers can paste a buffer of 5000 characters into the search bar and navigate back to trigger an application crash. VSCO 1.1.1.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting an excessively long string through the search functionality. Attackers can paste a buffer of 5000 characters into the search bar and navigate back to trigger an application crash.
Title Microsoft VSCO 1.1.1.0 Denial of Service via Search VSCO 1.1.1.0 Denial of Service via Search

Sat, 04 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Microsoft VSCO 1.1.1.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting an excessively long string through the search functionality. Attackers can paste a buffer of 5000 characters into the search bar and navigate back to trigger an application crash.
Title Microsoft VSCO 1.1.1.0 Denial of Service via Search
Weaknesses CWE-1260
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Vsco Vsco
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T18:02:54.326Z

Reserved: 2026-04-04T13:15:48.251Z

Link: CVE-2018-25238

cve-icon Vulnrichment

Updated: 2026-04-06T17:59:52.544Z

cve-icon NVD

Status : Deferred

Published: 2026-04-04T14:16:19.120

Modified: 2026-04-16T16:15:56.380

Link: CVE-2018-25238

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:57:49Z

Weaknesses