Description
ASPRunner Professional 6.0.766 contains a local buffer overflow vulnerability that allows attackers to cause a denial of service by supplying an excessively long project name. Attackers can paste 180 or more characters into the Project name field during project creation to trigger an application crash.
Published: 2026-04-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

ASPRunner Professional 6.0.766 contains a local buffer overflow vulnerability that allows an attacker to supply a project name of 180 or more characters, causing the application to crash and resulting in downtime for the web interface. This flaw arises from copying the input into a fixed-size buffer without bounds checking and is classified as CWE-787. It does not lead to code execution or data disclosure, but it disrupts service availability for users interacting with the application.

Affected Systems

The vulnerability only affects Xlinesoft ASPRunner Professional version 6.0.766. No other versions or products are listed as impacted in the advisory. Users running this specific build should be aware that the defect is tied to the project name input field during project creation.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. EPSS data is not available and the flaw is not listed in the CISA KEV catalog. Because the attack requires only local access to the application and the exploit consists simply of submitting a long project name, it is likely to be easy for an authenticated or local user to trigger. The result is an application crash and denial of service without privilege escalation or data compromise.

Generated by OpenCVE AI on April 5, 2026 at 23:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the current ASPRunner Professional version is not 6.0.766
  • Apply any vendor-published patch or upgrade to a later release if available
  • If a patch is not yet available, restrict the length of the project name field to fewer than 180 characters or block inputs exceeding that length
  • Monitor the application for crashes and enforce proper input validation

Generated by OpenCVE AI on April 5, 2026 at 23:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Xlinesoft
Xlinesoft asprunner Professional
Vendors & Products Xlinesoft
Xlinesoft asprunner Professional

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description ASPRunner Professional 6.0.766 contains a local buffer overflow vulnerability that allows attackers to cause a denial of service by supplying an excessively long project name. Attackers can paste 180 or more characters into the Project name field during project creation to trigger an application crash.
Title ASPRunner Professional 6.0.766 Local Buffer Overflow DoS
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Xlinesoft Asprunner Professional
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T15:24:44.052Z

Reserved: 2026-04-05T12:45:39.066Z

Link: CVE-2019-25659

cve-icon Vulnrichment

Updated: 2026-04-06T15:24:38.811Z

cve-icon NVD

Status : Deferred

Published: 2026-04-05T21:16:42.707

Modified: 2026-04-16T16:15:56.380

Link: CVE-2019-25659

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:56:18Z

Weaknesses