Description
One Search 1.1.0.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting excessively long input strings to the search functionality. Attackers can paste a buffer of 950 or more characters into the search bar to trigger an unhandled exception that crashes the application.
Published: 2026-04-04
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability occurs when the OneSearch search feature receives an input string of 950 or more characters. The long string triggers an unhandled exception, leading to the application terminating unexpectedly. As a result, the software becomes unavailable to users until it is restarted, causing a local denial of service. The weakness corresponds to improper input validation and is identified as CWE-1389.

Affected Systems

The issue affects the OneSearch application version 1.1.0.0. It is distributed as One Search by the vendor OneSearch. Only installations of this specific release are susceptible; newer or older versions are not listed as affected.

Risk and Exploitability

The vulnerability has a CVSS score of 6.9, indicating a moderate severity. No EPSS score is available, and the vulnerability is not included in the CISA KEV catalog, suggesting it is not currently known to be exploited in the wild. The attack requires local access to the machine running the application and the ability to submit a search query, meaning it is limited to privileged users or those who have authenticated locally. Exploitation does not require remote network exposure but could be amplified in environments where the application is exposed to many local users.

Generated by OpenCVE AI on April 4, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OneSearch to a patched version if available from the vendor.
  • Restrict local access to the application by applying firewall rules or network segmentation.
  • Monitor application logs for unusually long search strings and investigate anomalies.

Generated by OpenCVE AI on April 4, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft one Search
Vendors & Products Microsoft
Microsoft one Search

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
References

Sat, 04 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description Microsoft One Search 1.1.0.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting excessively long input strings to the search functionality. Attackers can paste a buffer of 950 or more characters into the search bar to trigger an unhandled exception that crashes the application. One Search 1.1.0.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting excessively long input strings to the search functionality. Attackers can paste a buffer of 950 or more characters into the search bar to trigger an unhandled exception that crashes the application.
Title Microsoft One Search 1.1.0.0 Denial of Service One Search 1.1.0.0 Denial of Service

Sat, 04 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Microsoft One Search 1.1.0.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting excessively long input strings to the search functionality. Attackers can paste a buffer of 950 or more characters into the search bar to trigger an unhandled exception that crashes the application.
Title Microsoft One Search 1.1.0.0 Denial of Service
Weaknesses CWE-1389
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Microsoft One Search
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T13:28:11.892Z

Reserved: 2026-04-04T13:18:08.204Z

Link: CVE-2018-25242

cve-icon Vulnrichment

Updated: 2026-04-06T13:28:05.920Z

cve-icon NVD

Status : Deferred

Published: 2026-04-04T14:16:19.810

Modified: 2026-04-16T16:15:56.380

Link: CVE-2018-25242

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:57:45Z

Weaknesses