Description
Sandboxie 5.30 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Program Alerts configuration field. Attackers can paste a buffer of 5000 characters into the 'Select or enter a program' field during program alert configuration to trigger an application crash.
Published: 2026-03-21
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

Sandboxie version 5.30 contains a buffer overflow in the Program Alerts configuration that can be triggered by entering an overly long string, such as 5,000 characters, into the "Select or enter a program" field. This vulnerability is a classic memory corruption flaw (CWE-1282 and CWE-1284) and results only in a crash of the application, providing no data disclosure or execution capabilities.

Affected Systems

The vulnerability affects installations of Sandboxie version 5.30 on Windows, including both the standard and classic editions as indicated by the provided CPE data.

Risk and Exploitability

The CVSS score of 6.9 places the flaw in the medium‑high range, but the EPSS score of less than 1% suggests that widespread exploitation is unlikely. Attackers must be able to manipulate the Program Alerts UI locally, so the attack vector is inferred to be local. The vulnerability is not listed in the CISA KEV catalog, and no public exploits have been reported, limiting its risk mainly to interruption of the sandbox service by authorized or disgruntled users.

Generated by OpenCVE AI on March 23, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor patch released for Sandboxie 5.30 that addresses the buffer overflow.
  • If a patch is not immediately available, disable the Program Alerts feature or remove existing alert configurations to prevent oversized input.
  • Review and sanitize any existing configuration files or settings that may contain unusually long strings.
  • Consider reverting to a previous stable release of Sandboxie until the vendor issues a fix.

Generated by OpenCVE AI on March 23, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
CPEs cpe:2.3:a:sandboxie-plus:sandboxie:5.30:*:*:*:classic:*:*:*

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Sandboxie
Sandboxie sandboxie
Vendors & Products Sandboxie
Sandboxie sandboxie

Sat, 21 Mar 2026 13:00:00 +0000

Type Values Removed Values Added
Description Sandboxie 5.30 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Program Alerts configuration field. Attackers can paste a buffer of 5000 characters into the 'Select or enter a program' field during program alert configuration to trigger an application crash.
Title Sandboxie 5.30 Denial of Service via Program Alerts Buffer Overflow
First Time appeared Sandboxie-plus
Sandboxie-plus sandboxie
Weaknesses CWE-1282
CPEs cpe:2.3:a:sandboxie-plus:sandboxie:5.30:*:*:*:*:*:*:*
Vendors & Products Sandboxie-plus
Sandboxie-plus sandboxie
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Sandboxie Sandboxie
Sandboxie-plus Sandboxie
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T20:19:45.197Z

Reserved: 2026-03-21T12:28:57.417Z

Link: CVE-2019-25551

cve-icon Vulnrichment

Updated: 2026-03-23T20:19:36.840Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-21T13:16:17.317

Modified: 2026-03-23T17:06:40.167

Link: CVE-2019-25551

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:47:31Z

Weaknesses