Description
An issue in Lymphatus caesium-image-compressor All versions up to and including commit 02da2c6 allows a local attacker to execute arbitrary code via the shutdownMachine and putMachineToSleep functions in PostCompressionActions.cpp
Published: 2026-05-04
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a local attacker to invoke the shutdownMachine and putMachineToSleep functions in PostCompressionActions.cpp to execute arbitrary code on the host system. This grants the attacker direct control over the process that terminates or suspends the machine, enabling the launch of malicious payloads or further system compromise.

Affected Systems

The flaw exists in all current releases of the caesium-image-compressor project hosted by Lymphatus up to and including commit 02da2c6. No specific product version numbers are provided beyond the commit identifier, but every version before the referenced commit is affected.

Risk and Exploitability

Because the attack requires local access to run the application, exploitation is limited to users who can execute the compressor binary. The CVSS score of 7.8 indicates a high severity of local code execution, while the EPSS score is < 1% and the vulnerability is not listed in CISA KEV, suggesting no publicly known exploits at this time. Nonetheless, local code execution remains a high‑impact condition, and an attacker who gains local user capability can take full control of the affected system.

Generated by OpenCVE AI on May 5, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade caesium-image-compressor to a version released after commit 02da2c6, which removes the insecure shutdownMachine and putMachineToSleep functions (the fix is included in pull request #376).
  • If an upgrade cannot be performed immediately, replace or patch the PostCompressionActions.cpp module to remove or neutralize the problematic functions so that the program cannot be invoked to trigger arbitrary code.
  • Ensure that only trusted users and processes can execute caesium-image-compressor by restricting file permissions and limiting write access to the application binaries and configuration files.

Generated by OpenCVE AI on May 5, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Lymphatus
Lymphatus caesium-image-compressor
Vendors & Products Lymphatus
Lymphatus caesium-image-compressor

Tue, 05 May 2026 19:45:00 +0000

Type Values Removed Values Added
Title Local Code Execution via Insecure Functions in caesium-image-compressor

Tue, 05 May 2026 18:30:00 +0000

Type Values Removed Values Added
Title Local Code Execution via Lifecycle Functions in caesium-image-compressor
Weaknesses CWE-269
CWE-78

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
CWE-94
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 04 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Local Code Execution via Lifecycle Functions in caesium-image-compressor
Weaknesses CWE-269
CWE-78

Mon, 04 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description An issue in Lymphatus caesium-image-compressor All versions up to and including commit 02da2c6 allows a local attacker to execute arbitrary code via the shutdownMachine and putMachineToSleep functions in PostCompressionActions.cpp
References

Subscriptions

Lymphatus Caesium-image-compressor
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-05T16:03:21.331Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36365

cve-icon Vulnrichment

Updated: 2026-05-05T15:51:11.032Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-04T16:16:02.053

Modified: 2026-05-07T15:53:49.717

Link: CVE-2026-36365

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T09:22:48Z

Weaknesses