Description
CEWE PHOTO SHOW 6.4.3 contains a denial of service vulnerability that allows attackers to crash the application by submitting an excessively long buffer to the password field. Attackers can paste a large string of repeated characters into the password input during the upload process to trigger an application crash.
Published: 2026-03-21
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

CEWE PHOTO SHOW 6.4.3 suffers a denial of service flaw rooted in an unhandled buffer overrun in the password field. An attacker can submit an excessively long string of repeated characters during the upload process, which causes the application to crash. The weakness is classified as CWE‑836, representing a buffer overflow that directly leads to a loss of availability for legitimate users, with no reported impact on confidentiality or integrity.

Affected Systems

The vulnerability affects only the 6.4.3 release of CEWE PHOTO SHOW distributed by Cewe‑Photoworld. No other versions or vendors have been identified as susceptible based on the available data.

Risk and Exploitability

The issue carries a CVSS score of 8.7, classifying it as high severity. An EPSS score of less than 1% indicates a low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be remote via the web‑based upload interface, where an attacker can supply an oversized password field to trigger the crash.

Generated by OpenCVE AI on April 10, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CEWE PHOTO SHOW to a version without the vulnerability or apply any vendor‑issued patch when available.
  • Restart the CEWE PHOTO SHOW service after a crash to restore availability.
  • Verify that the application no longer crashes by monitoring logs or performing a test upload with a large password string.

Generated by OpenCVE AI on April 10, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Cewe
Cewe photo Show
CPEs cpe:2.3:a:cewe:photo_show:6.4.3:*:*:*:*:*:*:*
Vendors & Products Cewe
Cewe photo Show

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Cewe-photoworld
Cewe-photoworld cewe Photo Show
Vendors & Products Cewe-photoworld
Cewe-photoworld cewe Photo Show

Sat, 21 Mar 2026 13:00:00 +0000

Type Values Removed Values Added
Description CEWE PHOTO SHOW 6.4.3 contains a denial of service vulnerability that allows attackers to crash the application by submitting an excessively long buffer to the password field. Attackers can paste a large string of repeated characters into the password input during the upload process to trigger an application crash.
Title CEWE PHOTO SHOW 6.4.3 Denial of Service via Password Field
Weaknesses CWE-836
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cewe Photo Show
Cewe-photoworld Cewe Photo Show
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T16:55:40.662Z

Reserved: 2026-03-21T12:29:06.207Z

Link: CVE-2019-25552

cve-icon Vulnrichment

Updated: 2026-03-23T16:52:22.393Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-21T13:16:17.507

Modified: 2026-04-10T01:20:49.400

Link: CVE-2019-25552

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:46:24Z

Weaknesses