Description
Improper Control of Generation of Code ('Code Injection') vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/png modules). This vulnerability is associated with program files PNGImageEncoder.Java.

This issue affects quick-media: before v1.0.
Published: 2026-01-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Code Execution via Code Injection
Action: Assess Impact
AI Analysis

Impact

The reported weakness is an improper control of code generation in the PNGImageEncoder module of the quick‑media application, which can allow an attacker to inject arbitrary code when processing crafted PNG files. The vulnerability, identified as CWE‑94, could lead to execution of attacker supplied code, compromising confidentiality, integrity, and availability of the affected system. No evidence is provided that the flaw allows a denial‑of‑service attack, but code execution would immediately raise the stakes for the application.

Affected Systems

The flaw affects the liuyueyi quick‑media application prior to version 1.0. No later releases have been listed as mitigated, and the product is identified only for the packages that contain the batik‑codec‑fix PNG modules.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1 % signals a low current likelihood of exploitation. The vulnerability is not in the CISA KEV catalogue. The likely attack vector is the processing of malicious PNG images through the plugin; an attacker would need to supply such a file to the application, which may be feasible via local file handling or, if the application exposes a remote endpoint for image uploads, remotely.

Generated by OpenCVE AI on April 18, 2026 at 02:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to quick‑media version 1.0 or later once a patched release is available.
  • Disable or restrict the SVG plugin and batik‑codec‑fix component if they are not required for your deployment.
  • Validate all PNG input files and process them in a protected, sandboxed environment to mitigate potential code injection.
  • Monitor system logs for anomalous PNG processing activity that could indicate an attempt to exploit the vulnerability.

Generated by OpenCVE AI on April 18, 2026 at 02:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8623-9fwr-4cxv Quick-Media Batik Codec FIX package has Code Injection vulnerability
History

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Liuyueyi
Liuyueyi quick-media
Vendors & Products Liuyueyi
Liuyueyi quick-media

Tue, 27 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/png modules). This vulnerability is associated with program files PNGImageEncoder.Java. This issue affects quick-media: before v1.0.
Title Buffer Write Security Vulnerability in liuyueyi/quick-media
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/S:N/AU:Y/R:U/V:C/RE:M/U:Amber'}

Subscriptions

Liuyueyi Quick-media
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-01-27T20:46:45.526Z

Reserved: 2026-01-27T08:39:10.281Z

Link: CVE-2026-24806

cve-icon Vulnrichment

Updated: 2026-01-27T20:46:35.888Z

cve-icon NVD

Status : Deferred

Published: 2026-01-27T09:15:50.743

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24806

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:30:15Z

Weaknesses