Description
Out-of-bounds Read vulnerability in praydog UEVR (dependencies/lua/src modules). This vulnerability is associated with program files lparser.C.

This issue affects UEVR: before 1.05.
Published: 2026-01-27
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

A heap-based buffer over-read in praydog's UEVR system occurs in the file lparser.C when compiling untrusted Lua code. The vulnerability allows an attacker to read memory beyond the intended buffer, potentially exposing sensitive information stored in adjacent memory areas. This flaw is classified as CWE-125 and results in a moderate CVSS score of 6.9, indicating that while it does not provide direct code execution, it can leak confidential data that may aid further attacks.

Affected Systems

The flaw is present in all versions of praydog UEVR prior to 1.05. Upgrading to version 1.05 or later removes the affected code path and mitigates the read underflow.

Risk and Exploitability

The EPSS score for this vulnerability is less than 1%, indicating a very low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector requires execution of untrusted Lua code within the UEVR environment; an attacker would need to provide specially crafted input that triggers the lparser.C over-read. The moderate CVSS score reflects the confidentiality impact rather than an integrity or availability breach.

Generated by OpenCVE AI on April 18, 2026 at 14:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to praydog UEVR version 1.05 or later
  • Disable execution of untrusted Lua code until the patch is applied
  • Validate Lua script inputs to prevent malformed data

Generated by OpenCVE AI on April 18, 2026 at 14:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://github.com/praydog/UEVR/pull/337 cve-icon cve-icon
History

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Praydog
Praydog uevr
Vendors & Products Praydog
Praydog uevr

Tue, 27 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
Description Out-of-bounds Read vulnerability in praydog UEVR (dependencies/lua/src modules). This vulnerability is associated with program files lparser.C. This issue affects UEVR: before 1.05.
Title A heap-based buffer over-read that might affect a system that compiles untrusted Lua code in praydog/UEVR
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L/S:N/AU:Y/R:U/V:D/RE:L/U:Amber'}

Subscriptions

Praydog Uevr
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-01-27T20:36:09.549Z

Reserved: 2026-01-27T08:48:56.893Z

Link: CVE-2026-24818

cve-icon Vulnrichment

Updated: 2026-01-27T20:36:06.110Z

cve-icon NVD

Status : Deferred

Published: 2026-01-27T09:15:52.383

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24818

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:00:03Z

Weaknesses