Description
Textpad 8.1.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long buffer string through the Run command interface. Attackers can paste a 5000-byte payload into the Command field via Tools > Run to trigger a buffer overflow that crashes the application.
Published: 2026-04-22
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Assess Impact
AI Analysis

Impact

Textpad 8.1.2 allows local attackers to crash the program by supplying an overly long string to the Run command. The overflow occurs when a 5000‑byte payload is entered via Tools > Run, triggering the application to terminate. This is a typical buffer overflow flaw (CWE‑787) that results in a denial of service but does not provide arbitrary code execution or impact beyond the crashed process. The vulnerability is limited to the host running the software and does not expose external network interfaces to remote exploitation.

Affected Systems

The affected product is Textpad version 8.1.2. No other versions were reported as vulnerable in the available data. The risk is confined to installations of this specific build and may not extend to later releases.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity for local users. EPSS is not provided, so the likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Attackers must be able to run commands locally to trigger the overflow, which typically requires privileged or at least authenticated user access on the machine. No publicly known exploits are documented, but the exploit path is straightforward and reproducible as described in the advisory.

Generated by OpenCVE AI on April 22, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Textpad to a version that fixes the Run command buffer overflow
  • If an upgrade is not immediately available, disable or remove the Run command feature in the application settings
  • Apply local account restrictions to limit which users can access the Run command
  • If the software is not essential, uninstall Textpad 8.1.2 to eliminate the risk

Generated by OpenCVE AI on April 22, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Textpad
Textpad textpad
Vendors & Products Textpad
Textpad textpad

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description Textpad 8.1.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long buffer string through the Run command interface. Attackers can paste a 5000-byte payload into the Command field via Tools > Run to trigger a buffer overflow that crashes the application.
Title Textpad 8.1.2 Denial of Service via Run Command
First Time appeared Helios
Helios textpad
Weaknesses CWE-787
CPEs cpe:2.3:a:helios:textpad:8.1.2:*:*:*:*:*:*:*
Vendors & Products Helios
Helios textpad
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Helios Textpad
Textpad Textpad
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-22T15:40:01.102Z

Reserved: 2026-04-22T14:32:51.752Z

Link: CVE-2018-25271

cve-icon Vulnrichment

Updated: 2026-04-22T15:39:58.033Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T16:16:47.967

Modified: 2026-04-27T17:13:26.447

Link: CVE-2018-25271

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T19:54:54Z

Weaknesses