The vulnerability is a local buffer overflow (CWE-120) in VX Search 10.6.18. Attackers can submit an oversized string in the directory field, causing the instruction pointer to be overwritten with 271 bytes of junk data followed by a crafted return address. Successful exploitation allows execution of arbitrary code with the privileges of the running application, compromising system integrity. The description indicates that the flaw is triggered when the application processes a user‑supplied file, implying that the attack vector is local and requires the ability to provide such a file to the application.

VX Search 10.6.18 is the affected product. The vendor is VX Search, and the product name reported by the CNA is VX Search. Only this exact version is listed as vulnerable; no newer releases are identified in the data.

The CVSS base score of 8.6 indicates a high severity vulnerability. EPSS information is not available. The existence of a documented exploit demonstrates that local exploitation is feasible by supplying a malicious file. The issue is not currently listed in the CISA KEV catalog. Exploitation requires the ability to supply data to the directory field, meaning an attacker must have local or untrusted user access. Once exploited, arbitrary code runs with application privileges, potentially leading to further system compromise. Runtime memory protection features such as stack canaries, ASLR, and DEP can reduce the impact of an exploit but do not eliminate the flaw.