Description
AdminExpress 1.2.5 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input through the System Compare feature. Attackers can paste a large buffer of characters into the Folder Path field and trigger the comparison function to cause the application to become unresponsive or crash.
Published: 2026-03-22
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The flaw allows a local attacker to submit an oversized string into the Folder Path field of the System Compare feature, causing the application to become unresponsive or crash and thereby disrupting availability. While the description does not explicitly state a buffer overflow, the absence of bounds checking on this input leads the analyst to infer that a buffer-related issue is at play.

Affected Systems

AdminExpress version 1.2.5 from the vendor Admin‑Express. No other versions or products are listed as impacted.

Risk and Exploitability

The CVSS score of 6.9 signifies moderate severity. No EPSS data is available, and the flaw is not listed in the CISA KEV catalog, suggesting limited known exploitation. The description indicates that only local access is required, implying a local attack vector. The lack of bounds checking implies low exploitation complexity, although this conclusion is inferred from the input.

Generated by OpenCVE AI on March 22, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch or upgrade to a newer release for AdminExpress immediately.
  • If no patch is available, restrict the length of input in the Folder Path field via custom validation or configuration.
  • Monitor application logs for signs of crashes or unresponsiveness to detect potential exploitation attempts.

Generated by OpenCVE AI on March 22, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Admin-express
Admin-express adminexpress
Vendors & Products Admin-express
Admin-express adminexpress

Sun, 22 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description AdminExpress 1.2.5 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input through the System Compare feature. Attackers can paste a large buffer of characters into the Folder Path field and trigger the comparison function to cause the application to become unresponsive or crash.
Title AdminExpress 1.2.5 Denial of Service via System Compare
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Admin-express Adminexpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-24T15:14:27.527Z

Reserved: 2026-03-22T13:32:07.387Z

Link: CVE-2019-25618

cve-icon Vulnrichment

Updated: 2026-03-24T14:01:12.228Z

cve-icon NVD

Status : Deferred

Published: 2026-03-22T14:16:30.693

Modified: 2026-04-16T16:19:50.757

Link: CVE-2019-25618

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:50:40Z

Weaknesses