{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4746", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "state": "PUBLISHED", "assignerShortName": "GovTech CSG", "dateReserved": "2026-03-24T03:28:09.194Z", "datePublished": "2026-03-24T03:28:20.753Z", "dateUpdated": "2026-03-24T18:25:06.762Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-03-24T03:28:20.753Z"}, "title": "Heap Buffer Over-Write Vulenrabilty in timeplus-io/proton", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write", "type": "CWE"}]}], "affected": [{"vendor": "timeplus-io", "product": "proton", "collectionURL": "https://github.com/timeplus-io/proton", "modules": ["base/poco/Foundation/src\u200e"], "programFiles": ["inflate.c"], "versions": [{"status": "affected", "version": "0", "lessThan": "1.6.16", "versionType": "git"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src\u200e modules). This vulnerability is associated with program files inflate.C.\n\nThis issue affects proton: before 1.6.16.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src\u200e modules).<p> This vulnerability is associated with program files inflate.C.</p><p>This issue affects proton: before 1.6.16.</p>"}]}], "references": [{"url": "https://github.com/timeplus-io/proton/pull/943", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "ATTACKED", "Safety": "NEGLIGIBLE", "Automatable": "YES", "Recovery": "USER", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "LOW", "providerUrgency": "AMBER", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 10, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/S:N/AU:Y/R:U/V:C/RE:L/U:Amber"}}], "credits": [{"lang": "en", "value": "TITAN Team (titancaproject@gmail.com)", "type": "reporter"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T18:24:58.836377Z", "id": "CVE-2026-4746", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:25:06.762Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4746", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T18:24:58.836377Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:25:03.318Z"}}], "cna": {"title": "Heap Buffer Over-Write Vulenrabilty in timeplus-io/proton", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "USER", "baseScore": 10, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/S:N/AU:Y/R:U/V:C/RE:L/U:Amber", "exploitMaturity": "ATTACKED", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "timeplus-io", "modules": ["base/poco/Foundation/src\u200e"], "product": "proton", "versions": [{"status": "affected", "version": "0", "lessThan": "1.6.16", "versionType": "git"}], "programFiles": ["inflate.c"], "collectionURL": "https://github.com/timeplus-io/proton", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/timeplus-io/proton/pull/943", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src\u200e modules). This vulnerability is associated with program files inflate.C.\n\nThis issue affects proton: before 1.6.16.", "supportingMedia": [{"type": "text/html", "value": "Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src\u200e modules).<p> This vulnerability is associated with program files inflate.C.</p><p>This issue affects proton: before 1.6.16.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-03-24T03:28:20.753Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4746", "state": "PUBLISHED", "dateUpdated": "2026-03-24T18:25:06.762Z", "dateReserved": "2026-03-24T03:28:09.194Z", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "datePublished": "2026-03-24T03:28:20.753Z", "assignerShortName": "GovTech CSG"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src\u200e modules). This vulnerability is associated with program files inflate.C.\n\nThis issue affects proton: before 1.6.16."}], "id": "CVE-2026-4746", "lastModified": "2026-03-24T15:53:48.067", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "ATTACKED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:L/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}, "published": "2026-03-24T05:16:25.937", "references": [{"source": "cve_disclosure@tech.gov.sg", "url": "https://github.com/timeplus-io/proton/pull/943"}], "sourceIdentifier": "cve_disclosure@tech.gov.sg", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.6.16)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "proton", "source": "cna", "vendor": "timeplus-io"}, "product": "proton", "vendor": "timeplus-io"}], "analysis": {"en": {"generated_at": "2026-03-24T05:21:12.927328+00:00", "value": {"mitigation_remediation": ["Apply the latest Proton patch by upgrading to version 1.6.16 or newer."], "summary": {"action": "Immediate Patch", "impact": "Memory corruption potentially leading to arbitrary code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the timeplus-io Proton software, impacting all releases before version 1.6.16. Users running Proton 1.6.15 or earlier are therefore exposed. No additional vendor or system details are listed in the CVE record.", "description_and_impact": "This entry describes an out-of-bounds write vulnerability located in the proton project\u2019s base/poco/Foundation/src modules, specifically involving program files inflate.C. The flaw can corrupt internal data structures, which is a classic memory corruption weakness, identified as CWE-787. If successfully exploited, the attacker may gain the ability to execute arbitrary code or compromise the integrity of the affected application. The description does not provide explicit details on confidentiality or availability impact, but arbitrary code execution is typically severe.", "risk_and_exploitability": "The CVSS score for this issue is 10, indicating maximum severity. The EPSS score is not available, and the vulnerability is not included in the CISA KEV catalog. An attacker would need to trigger the out-of-bounds write, likely by interacting with the inflate.C component; the exact attack vector is not explicitly stated, so it is inferred that exploitation would require some form of interaction with Proton\u2019s processing of certain inputs. Given the high severity score and absence of mitigation hints, the risk is considered high."}}}}, "created": "2026-03-24T10:29:08.045569+00:00", "updated": "2026-03-25T20:40:13.465099+00:00", "vendors": ["timeplus-io", "timeplus-io$PRODUCT$proton"]}