Is there a public PoC exploit available for EUVD-2026-25873?

Yes, a public proof-of-concept exploit is available for EUVD-2026-25873. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for EUVD-2026-25873?

Yes, a patch is available for EUVD-2026-25873. Update the affected software to the latest version immediately.

Gpac EUVD-2026-25873

Q: What is the CVSS score of EUVD-2026-25873?

EUVD-2026-25873 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-7135 LOW

Out-of-bounds Read (CWE-125)

2026-04-27 VulDB

Buffer Overflow Information Disclosure Gpac

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:12 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:12 NVD

4.8 (MEDIUM) 1.9 (LOW)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

CVSS changed

Apr 27, 2026 - 16:22 NVD

5.3 (MEDIUM) 4.8 (MEDIUM)

EUVD ID Assigned

Apr 27, 2026 - 15:30 euvd

EUVD-2026-25873

Patch released

Apr 27, 2026 - 15:30 nvd

Patch available

CVE Published

Apr 27, 2026 - 15:15 nvd

LOW 1.9

DescriptionCVE.org

A security flaw has been discovered in GPAC up to 26.03-DEV-rev105-g8f39a1eb3-master. Affected by this vulnerability is the function elng_box_read of the file src/isomedia/box_code_base.c of the component MP4Box. Performing a manipulation of the argument elng results in out-of-bounds read. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The patch is named cf6ac48c972eaaee2af270adc3f36615325deb3e. The affected component should be upgraded.

Analysis

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2025-55642 MEDIUM This Month

6.5 Jun 13

Divide-by-zero in GPAC's MP4Box AVI demuxer crashes the process when handling crafted media files with zero-declared fra

CVE-2025-55648 MEDIUM This Month

5.5 Jun 13

Heap-based buffer overflow in GPAC MP4Box (all versions prior to fix commit 61bbfd2e89553373ba3449b8ec05b5f098d732a5) al

CVE-2025-55649 MEDIUM This Month

5.5 Jun 13

NULL pointer dereference in GPAC's MP4Box fragmentation pipeline allows unauthenticated remote attackers to crash the ap

CVE-2025-55641 MEDIUM This Month

5.5 Jun 13

NULL pointer dereference in GPAC's MP4Box crashes the application when importing a crafted MP4 file containing corrupted

CVE-2025-55644 MEDIUM This Month

5.5 Jun 13

Use-after-free memory corruption in GPAC's MP4Box triggers via gf_node_get_tag when parsing a crafted MP4 file containin

EUVD-2026-25873 vulnerability details – vuln.today

Back

Gpac EUVD-2026-25873

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

Analysis

Unlock full vulnerability intelligence

More from same product – last 7 days

Share

External POC / Exploit Code