Description
An issue in Lymphatus caesium-image-compressor All versions up to and including commit 02da2c6 allows a local attacker to execute arbitrary code via the shutdownMachine and putMachineToSleep functions in PostCompressionActions.cpp
Published: 2026-05-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a local attacker to invoke the shutdownMachine and putMachineToSleep functions in PostCompressionActions.cpp to execute arbitrary code on the host system. This grants the attacker direct control over the process that terminates or suspends the machine, enabling the launch of malicious payloads or further system compromise.

Affected Systems

The flaw exists in all current releases of the caesium-image-compressor project hosted by Lymphatus up to and including commit 02da2c6. No specific product version numbers are provided beyond the commit identifier, but every version before the referenced commit is affected.

Risk and Exploitability

Because the attack requires local access to run the application, exploitation is limited to users who can execute the compressor binary. The EPSS score is unavailable and the vulnerability is not listed in CISA KEV, suggesting no publicly known exploits at this time. Nonetheless, local code execution remains a high‑impact condition, and an attacker who gains local user capability can take full control of the affected system.

Generated by OpenCVE AI on May 4, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade caesium-image-compressor to a version released after commit 02da2c6, which removes the insecure shutdownMachine and putMachineToSleep functions (the fix is included in pull request #376).
  • If an upgrade cannot be performed immediately, replace or patch the PostCompressionActions.cpp module to remove or neutralize the problematic functions so that the program cannot be invoked to trigger arbitrary code.
  • Ensure that only trusted users and processes can execute caesium-image-compressor by restricting file permissions and limiting write access to the application binaries and configuration files.

Generated by OpenCVE AI on May 4, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Local Code Execution via Lifecycle Functions in caesium-image-compressor
Weaknesses CWE-269
CWE-78

Mon, 04 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description An issue in Lymphatus caesium-image-compressor All versions up to and including commit 02da2c6 allows a local attacker to execute arbitrary code via the shutdownMachine and putMachineToSleep functions in PostCompressionActions.cpp
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-04T15:15:26.324Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36365

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T16:16:02.053

Modified: 2026-05-04T16:16:02.053

Link: CVE-2026-36365

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T17:30:04Z

Weaknesses