Description
A vulnerability has been found in AutohomeCorp frostmourne up to 1.0. This affects the function scriptEngine.eval of the file ExpressionRule.java of the component Oracle Nashorn JavaScript Engine. Such manipulation of the argument EXPRESSION leads to code injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

A code injection flaw exists in the scriptEngine.eval function within ExpressionRule.java of the AutohomeCorp Frostmourne product. The flaw allows an attacker to supply arbitrary JavaScript expressions that are evaluated by the Oracle Nashorn engine, enabling remote execution of malicious code. This weakness maps to CWE-94 (Code Injection) and CWE-74 (Improper Neutralization of Input).

Affected Systems

AutohomeCorp Frostmourne versions up to and including 1.0 are affected. No later version information is provided.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a relatively low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw remotely by sending a crafted EXPRESSION value to the vulnerable endpoint; successful exploitation would give the attacker code‑execution privileges within the application context.

Generated by OpenCVE AI on March 18, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact AutohomeCorp to request a remediation or patch release
  • Monitor AutohomeCorp’s security advisories for fixes and apply a patch when released
  • Restrict network access to any component that invokes scriptEngine.eval until a fix is deployed
  • If feasible, disable or remove the vulnerable functionality to eliminate the attack surface
  • Implement input validation or sanitization on the EXPRESSION parameter to reduce the risk of injection

Generated by OpenCVE AI on March 18, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Autohomecorp
Autohomecorp frostmourne
Vendors & Products Autohomecorp
Autohomecorp frostmourne

Thu, 12 Mar 2026 00:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in AutohomeCorp frostmourne up to 1.0. This affects the function scriptEngine.eval of the file ExpressionRule.java of the component Oracle Nashorn JavaScript Engine. Such manipulation of the argument EXPRESSION leads to code injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title AutohomeCorp frostmourne Oracle Nashorn JavaScript ExpressionRule.java scriptEngine.eval code injection
Weaknesses CWE-74
CWE-94
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Autohomecorp Frostmourne
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-12T13:25:49.428Z

Reserved: 2026-03-11T13:39:11.081Z

Link: CVE-2026-3968

cve-icon Vulnrichment

Updated: 2026-03-12T13:25:44.913Z

cve-icon NVD

Status : Deferred

Published: 2026-03-12T01:15:54.990

Modified: 2026-04-22T21:30:26.497

Link: CVE-2026-3968

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:23Z

Weaknesses