Description
AllPlayer 7.4 contains a local buffer overflow vulnerability in URL handling that allows attackers to overwrite structured exception handling pointers by supplying an excessively long URL string. Attackers can craft a malicious URL, paste it into the Open URL dialog, and trigger SEH-based code execution to run arbitrary commands with user privileges.
Published: 2026-06-04
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AllPlayer 7.4 contains a local buffer overflow in its URL handling logic that allows an attacker to overwrite structured exception handling pointers. By supplying an excessively long URL string to the Open URL dialog, a malicious user can force the application to execute SEH-based code, leading to the ability to run arbitrary commands with the privileges of the logged‑in user. This local code execution can compromise the entire operating system if the user has administrative rights.

Affected Systems

The vulnerability is limited to the AllPlayer 7.4 build from the Allplayer vendor. No other versions or vendors are indicated as affected in the available data.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. The attack vector is inferred to be local: an attacker must be able to cause a user to paste a crafted URL into the Open URL dialog or otherwise invoke the vulnerable functionality. Given the high severity and local privilege escalation potential, the risk to users remains significant until mitigated.

Generated by OpenCVE AI on June 4, 2026 at 15:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Uninstall AllPlayer 7.4 to eliminate the vulnerable code.
  • Disable or restrict the Open URL dialog so users cannot supply arbitrary URLs, using local security settings or group policy.
  • If a vendor patch is released, apply it immediately to remove the vulnerability.

Generated by OpenCVE AI on June 4, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Allplayer
Allplayer allplayer
Vendors & Products Allplayer
Allplayer allplayer

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description AllPlayer 7.4 contains a local buffer overflow vulnerability in URL handling that allows attackers to overwrite structured exception handling pointers by supplying an excessively long URL string. Attackers can craft a malicious URL, paste it into the Open URL dialog, and trigger SEH-based code execution to run arbitrary commands with user privileges.
Title AllPlayer 7.4 Local Buffer Overflow via SEH Unicode
Weaknesses CWE-120
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Allplayer Allplayer
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-04T13:57:17.873Z

Reserved: 2026-06-04T10:59:56.441Z

Link: CVE-2019-25735

cve-icon Vulnrichment

Updated: 2026-06-04T13:57:09.677Z

cve-icon NVD

Status : Deferred

Published: 2026-06-04T14:16:31.653

Modified: 2026-06-04T15:00:40.757

Link: CVE-2019-25735

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T15:15:16Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')