Which versions of RedisTimeSeries are affected by CVE-2026-25588?

RedisTimeSeries versions before 1.12.14 contain a remote code execution vulnerability requiring authenticated access with RESTORE command permissions, enabling attackers to execute arbitrary code and…. A patch is available.

RedisTimeSeries CVE-2026-25588

Q: What is the CVSS score of CVE-2026-25588?

CVE-2026-25588 has a CVSS 4.0 base score of 7.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.3%.

EUVD-2026-27413 HIGH

Heap-based Buffer Overflow (CWE-122)

2026-05-05 security-advisories@github.com

RCE Buffer Overflow Heap Overflow Redis Suse

7.7

CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 05, 2026 - 19:01 EUVD

Source Code Evidence Fetched

May 05, 2026 - 17:31 vuln.today

Analysis Generated

May 05, 2026 - 17:31 vuln.today

DescriptionNVD

RedisTimeSeries is a time-series module for Redis. In all versions before 1.12.14 of RedisTimeSeries, the module does not properly validate serialized values processed through the Redis RESTORE command. An authenticated attacker with permission to execute RESTORE on a server with the RedisTimeSeries module loaded can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This has been patched in version 1.12.14.

AnalysisAI

Remote code execution in RedisTimeSeries versions before 1.12.14 allows authenticated attackers with RESTORE command permissions to execute arbitrary code via crafted serialized payloads. The vulnerability stems from improper validation of data processed through Redis RESTORE command, enabling heap buffer overflow exploitation. …

RemediationAI

Within 24 hours: Identify all RedisTimeSeries deployments and document current versions; restrict RESTORE command permissions to essential service accounts only and review access logs for suspicious activity. Within 7 days: Upgrade RedisTimeSeries to version 1.12.14 or later if available from vendor repositories, or implement network segmentation to isolate affected instances from untrusted networks. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-25588 vulnerability details – vuln.today

Back

RedisTimeSeries CVE-2026-25588

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

RedisTimeSeries CVE-2026-25588

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code