Description
Deluge 1.3.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the URL field. Attackers can paste a buffer of 5000 characters into the 'From URL' field during torrent addition to trigger an application crash.
Published: 2026-03-22
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

Deluge 1.3.15 contains a denial of service vulnerability that can be triggered by entering an excessively long string into the "From URL" field when adding a torrent. When a local user supplies a buffer of 5000 characters, the application crashes, rendering the client unusable. The weakness is a buffer overflow involving improper string handling (CWE‑466). The impact is limited to availability of the application for the affected account but can be disruptive in environments where Deluge is used for automated torrent handling.

Affected Systems

The vulnerability affects the Deluge torrent client, specifically version 1.3.15. No other versions or products are listed as affected.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity risk. EPSS data is unavailable, but the vulnerability is local and requires an attacker to have access to the Deluge client or to a user on the same machine. The vulnerability is not listed in CISA’s KEV catalog. Attackers could exploit the flaw by simply opening the client and entering a long URL into the interface, causing a crash without additional privileges.

Generated by OpenCVE AI on March 22, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Deluge to a version newer than 1.3.15
  • If an upgrade is not possible, enforce a maximum length on the URL input (e.g., limit to fewer than 5000 characters) to prevent overflow
  • Monitor the client for unexpected crashes and review logs for repeated denial of service events

Generated by OpenCVE AI on March 22, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 22 Mar 2026 00:30:00 +0000

Type Values Removed Values Added
Description Deluge 1.3.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the URL field. Attackers can paste a buffer of 5000 characters into the 'From URL' field during torrent addition to trigger an application crash.
Title Deluge 1.3.15 Denial of Service via URL Field
First Time appeared Deluge-torrent
Deluge-torrent deluge
Weaknesses CWE-466
CPEs cpe:2.3:a:deluge-torrent:deluge:1.3.15:*:*:*:*:*:*:*
Vendors & Products Deluge-torrent
Deluge-torrent deluge
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Deluge-torrent Deluge
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T16:31:56.682Z

Reserved: 2026-03-21T16:46:03.499Z

Link: CVE-2019-25586

cve-icon Vulnrichment

Updated: 2026-03-23T16:31:46.898Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-22T01:16:56.697

Modified: 2026-03-24T14:41:36.730

Link: CVE-2019-25586

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:46:53Z

Weaknesses