Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:L/U:Clear
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:L/U:Clear
Lifecycle Timeline
4DescriptionCVE.org
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in yoyofr modizer (libs/libopenmpt/openmpt-trunk/include/premake/contrib/curl/lib modules). This vulnerability is associated with program files imap.C.
This issue affects modizer: before v4.3.
AnalysisAI
A buffer overflow vulnerability in Modizer before v4.3 allows remote attackers to execute arbitrary code with high privileges by sending specially crafted input that bypasses memory boundary restrictions in the IMAP module. The network-accessible flaw requires minimal user interaction and affects the integrated libopenmpt curl library. A patch is available and should be applied immediately given the critical severity and confirmed attack vector.
Technical ContextAI
The vulnerability is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), a classic buffer overflow defect. The affected component is located in modizer's bundled or integrated curl library code, specifically within the imap.C file located at libs/libopenmpt/openmpt-trunk/include/premake/contrib/curl/lib. The curl library handles IMAP protocol operations, and the buffer overflow likely occurs during parsing of IMAP protocol responses or command handling where input validation fails to enforce memory boundaries. This type of vulnerability in protocol parsing libraries is particularly dangerous because IMAP operations may be triggered remotely by connecting to IMAP servers, potentially under attacker control.
RemediationAI
Upgrade modizer to version 4.3 or later immediately, as a patch is available from the vendor. The fix is tracked in GitHub pull request 141 (https://github.com/yoyofr/modizer/pull/141) and should be integrated into the main distribution. Until upgrading is possible, restrict modizer instances to trusted network segments only and disable IMAP functionality if not required for operations. Monitor modizer process execution for signs of memory corruption or unexpected crashes, which could indicate exploitation attempts. Ensure that systems running modizer have modern exploit mitigations enabled, including ASLR, DEP/NX, and stack canaries, to raise the barrier for successful code execution even if the buffer overflow is triggered.
Same weakness CWE-119 – Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14709
GHSA-36m3-3x88-3x7w