Is there a public PoC exploit available for CVE-2026-8087?

Yes, a public proof-of-concept exploit is available for CVE-2026-8087. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for CVE-2026-8087?

Yes, a patch is available for CVE-2026-8087. Update the affected software to the latest version immediately.

OSGeo GDAL CVE-2026-8087

Q: What is the CVSS score of CVE-2026-8087?

CVE-2026-8087 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-28435 LOW

Heap-based Buffer Overflow (CWE-122)

2026-05-07 VulDB

GHSA-h9rh-5ffh-h669

Buffer Overflow Heap Overflow

1.9

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

May 07, 2026 - 20:22 NVD

MEDIUM LOW

CVSS changed

May 07, 2026 - 20:22 NVD

5.3 (MEDIUM) 1.9 (LOW)

Source Code Evidence Fetched

May 07, 2026 - 20:01 vuln.today

Analysis Generated

May 07, 2026 - 20:01 vuln.today

CVE Published

May 07, 2026 - 19:00 nvd

MEDIUM 5.3

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

440 pypi packages depend on gdal (382 direct, 69 indirect)

Ecosystem-wide dependent count for version 3.13.0.

DescriptionNVD

A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c. Performing a manipulation of the argument DataFieldName results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.13.0RC1 is recommended to address this issue. The patch is named 184f77dbcc74118c062c05e464c88161d3c37b9b. You should upgrade the affected component.

AnalysisAI

Heap-based buffer overflow in OSGeo GDAL up to version 3.13.0dev-4 allows local authenticated attackers to corrupt memory and potentially execute arbitrary code via a specially crafted DataFieldName argument passed to the GDnentries function in the HDF-EOS module. The vulnerability affects string length calculation when processing quoted field names, publicly available exploit code exists, and vendor patch is available in version 3.13.0RC1.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-8087 vulnerability details – vuln.today

Back