Description
PHPRunner 10.1 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the dashboard name field. Attackers can paste a buffer of 10000 characters into the Name field during dashboard creation to trigger an application crash.
Published: 2026-03-22
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

A local attacker can cause PHPRunner to crash by submitting an excessively long string in the dashboard name field during dashboard creation. The resulting application crash leads to interruption of service and loss of availability for any users relying on that instance.

Affected Systems

The vulnerability affects Xlinesoft PHPRunner 10.1. It may also impact earlier releases such as 4.2 since the same input field is present, but only 10.1 is confirmed. The issue is limited to systems running the affected version of PHPRunner and requires a locally authenticated user with UI access to create dashboards.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, with no publicly available exploitation code (EPSS not available) and not listed in the CISA KEV catalog. The attack requires local access to the web interface and is limited to user-initiated input. While the exploit is unlikely to allow remote code execution, it can repeatedly render the application unusable, creating a practical denial of service risk for businesses deploying PHPRunner.

Generated by OpenCVE AI on March 22, 2026 at 14:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor's website for a patch or newer PHPRunner version that fixes the input length validation; apply the update as soon as possible.
  • If a patch is unavailable, implement custom input validation to restrict the dashboard name length to a safe value, such as 255 characters, to prevent the crash.

Generated by OpenCVE AI on March 22, 2026 at 14:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 22 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description PHPRunner 10.1 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the dashboard name field. Attackers can paste a buffer of 10000 characters into the Name field during dashboard creation to trigger an application crash.
Title PHPRunner 10.1 Denial of Service via Dashboard Name Field
First Time appeared Xlinesoft
Xlinesoft phprunner
Weaknesses CWE-1260
CPEs cpe:2.3:a:xlinesoft:phprunner:-:*:*:*:*:*:*:*
cpe:2.3:a:xlinesoft:phprunner:10.1:*:*:*:*:*:*:*
cpe:2.3:a:xlinesoft:phprunner:4.2:*:*:*:*:*:*:*
Vendors & Products Xlinesoft
Xlinesoft phprunner
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Xlinesoft Phprunner
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T16:04:17.974Z

Reserved: 2026-03-22T12:53:14.849Z

Link: CVE-2019-25592

cve-icon Vulnrichment

Updated: 2026-03-23T16:04:08.792Z

cve-icon NVD

Status : Deferred

Published: 2026-03-22T14:16:25.830

Modified: 2026-04-16T16:19:50.757

Link: CVE-2019-25592

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:46:24Z

Weaknesses