Description
ASPRunner.NET 10.1 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the table name field. Attackers can input a buffer of 10000 characters in the table name parameter during database table creation to trigger an application crash.
Published: 2026-03-22
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows a local attacker to cause the ASPRunner.NET application to crash by submitting an excessively long string in the table name field during database table creation. This results in a denial of service as the application terminates unexpectedly. The weakness corresponds to CWE‑807, which is a buffer overflow via string handling.

Affected Systems

This flaw exists in Xlinesoft's ASPRunner.NET version 10.1. Any deployment of that version is susceptible when users can create database tables through the web interface.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate to high impact, and the EPSS score is unavailable, suggesting limited public data on exploit frequency. Attackers need local access to the application and must be able to trigger table creation to send a 10,000‑character string. No known public patches are listed, and the vulnerability is not in CISA's KEV catalog, but an exploit is documented on Exploit‑DB, implying the problem is actively exploitable. The risk is therefore significant for environments where the application is not adequately restricted.

Generated by OpenCVE AI on March 22, 2026 at 14:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an official patch or upgrade ASPRunner.NET to a version that addresses the issue.
  • If a patch is not available, restrict or disable the ability to create new database tables via the application, limiting the endpoint to trusted users.
  • Implement input validation or length limits on the table name field at the application or web server level.
  • Monitor logs for attempts to create tables with unusually long names and investigate.
  • Contact Xlinesoft support for guidance on mitigating the vulnerability until a patch is released.

Generated by OpenCVE AI on March 22, 2026 at 14:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 22 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description ASPRunner.NET 10.1 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the table name field. Attackers can input a buffer of 10000 characters in the table name parameter during database table creation to trigger an application crash.
Title ASPRunner.NET 10.1 Denial of Service via Table Name Field
First Time appeared Xlinesoft
Xlinesoft phprunner
Weaknesses CWE-807
CPEs cpe:2.3:a:xlinesoft:phprunner:10.1:*:*:*:*:*:*:*
Vendors & Products Xlinesoft
Xlinesoft phprunner
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Xlinesoft Phprunner
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-24T15:14:49.550Z

Reserved: 2026-03-22T12:54:32.136Z

Link: CVE-2019-25594

cve-icon Vulnrichment

Updated: 2026-03-24T14:01:16.540Z

cve-icon NVD

Status : Deferred

Published: 2026-03-22T14:16:26.220

Modified: 2026-04-16T16:19:50.757

Link: CVE-2019-25594

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:46:22Z

Weaknesses