Skip to main content

CactusViewer CVE-2026-36574

| EUVDEUVD-2026-34098 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-06-03 mitre GHSA-8vxw-prwx-j95w
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 21:30 vuln.today
CVSS changed
Jun 08, 2026 - 19:22 NVD
7.8 (HIGH)
CVE Published
Jun 03, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A DLL hijacking vulnerability in Wassimulator (GitHub) CactusViewer v2.3.0 allows attackers to escalate privileges and execute arbitrary code via a crafted DLL.

AnalysisAI

Local privilege escalation and arbitrary code execution in Wassimulator CactusViewer v2.3.0 (Windows) occurs through DLL hijacking, where the application loads a malicious DLL from a writable directory instead of the legitimate library. Exploitation requires user interaction to launch the application after an attacker plants the crafted DLL, and no public exploit identified at time of analysis. EPSS rates exploitation probability at just 0.02% (5th percentile), reflecting the niche user base of this open-source image viewer.

Technical ContextAI

CactusViewer is an open-source image viewer distributed as a standalone Windows executable (CactusViewer.exe) via GitHub releases. The root cause maps to CWE-427 (Uncontrolled Search Path Element), a class of bug where Windows applications resolve DLL dependencies using the default search order - which includes the application's working directory and other writable paths - without specifying fully qualified paths or using SetDefaultDllDirectories/SafeDllSearchMode hardening. An attacker who can place a malicious DLL with the expected name in a directory earlier in the search order than the legitimate one causes the loader to map and execute attacker-controlled code in the process. The referenced issue (#65) on the project's GitHub appears to be the disclosure thread for this flaw.

RemediationAI

No vendor-released patch identified at time of analysis - the linked GitHub issue (https://github.com/Wassimulator/CactusViewer/issues/65) appears to be the open disclosure thread and no fixed release is referenced in the available data. As compensating controls, organizations should remove CactusViewer v2.3.0 from endpoints if it is not business-critical, since this is a hobbyist viewer with limited operational value. If retention is required, run the application only from a directory where standard users lack write permissions (e.g., Program Files rather than Downloads or a user-writable folder), which prevents low-privilege attackers from planting a hijack DLL alongside the binary. Application-control policies (Windows Defender Application Control, AppLocker) can block unsigned DLL loads from user-writable paths, though this may break applications that legitimately load DLLs that way. Monitor the upstream repository for a fixed release before redeploying.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2026-36574 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy