Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/S:N/AU:Y/R:U/V:C/RE:L/U:Amber
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/S:N/AU:Y/R:U/V:C/RE:L/U:Amber
Lifecycle Timeline
4DescriptionCVE.org
Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src modules). This vulnerability is associated with program files inflate.C.
This issue affects proton: before 1.6.16.
AnalysisAI
Out-of-bounds write vulnerability in Proton versions before 1.6.16 allows remote attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. The vulnerability resides in the inflate.C module within the base/poco/Foundation components and can be exploited over the network without authentication or user interaction. A patch is available to remediate this critical flaw.
Technical ContextAI
The vulnerability resides in the POCO Foundation library's compression handling code, specifically the inflate.C module which implements decompression logic (likely related to zlib inflation). Out-of-bounds write vulnerabilities (CWE-787) occur when a program writes data to memory locations outside the bounds of allocated buffers, often during parsing or decompression of untrusted input. In compression libraries, such flaws typically arise from improper bounds checking during stream decompression when processing crafted or malicious compressed payloads. The affected product is timeplus-io proton (CPE: cpe:2.3:a:timeplus-io:proton:*:*:*:*:*:*:*:*), which incorporates the vulnerable POCO library code for handling compressed data streams.
RemediationAI
Upgrade timeplus-io proton to version 1.6.16 or later immediately. Apply the patch available from the vendor at https://github.com/timeplus-io/proton/pull/943. Organizations unable to patch immediately should implement network segmentation to restrict which systems can submit compressed data to proton instances, disable decompression features if not required, and apply strict input validation and monitoring for abnormal memory behavior or crashes. Validate all deployments against the updated version prior to production rollout.
Optergy Proton/Enterprise devices allow Remote Root Code Execution via a Backdoor Console. Rated critical severity (CVSS
Optergy Proton/Enterprise devices allow Authenticated File Upload with Code Execution as root. Rated critical severity (
Optergy Proton/Enterprise devices allow Open Redirect. Rated medium severity (CVSS 6.1), this vulnerability is remotely
Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file. Rated medium severity (CVSS 5.4), th
Optergy Proton/Enterprise devices allow Username Disclosure. Rated medium severity (CVSS 5.3), this vulnerability is rem
Optergy Proton/Enterprise devices allow Cross-Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerab
Optergy Proton/Enterprise devices have Hard-coded Credentials. Rated high severity (CVSS 7.3), this vulnerability is rem
Optergy Proton/Enterprise devices have an Unauthenticated SMS Sending Service. Rated medium severity (CVSS 6.5), this vu
Optergy Proton/Enterprise devices allow Unauthenticated Internal Network Information Disclosure. Rated medium severity (
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14745
GHSA-ch4h-8w5c-3g8g