Epic Games
Products
13- 11 CVEs
- 6 CVEs
- 5 CVEs
- 4 CVEs
- 3 CVEs
- 3 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
Recent CVEs
24| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-61973 | Hig | 0.57 | 8.8 | 0.00 | Jan 15, 2026 | A local privilege escalation vulnerability exists during the installation of Epic Games Store via the Microsoft Store. A low-privilege user can replace a DLL file during the installation process, which may result in unintended elevation of privileges. | ||
| CVE-2021-47742 | Hig | 0.57 | 8.8 | 0.00 | Dec 31, 2025 | Epic Games Psyonix Rocket League <=1.95 contains an insecure permissions vulnerability that allows authenticated users to modify executable files with full access permissions. Attackers can leverage the 'F' (Full) flag for the 'Authenticated Users' group to change executable… | ||
| CVE-2021-47739 | Hig | 0.55 | 8.4 | 0.00 | Dec 23, 2025 | Epic Games Easy Anti-Cheat 4.0 contains an unquoted service path vulnerability that allows local non-privileged users to execute arbitrary code with elevated system privileges. Attackers can exploit the service configuration by inserting malicious code in the system root path… | ||
| CVE-2025-0567 | Med | 0.29 | 4.5 | 0.00 | Jan 19, 2025 | A vulnerability classified as problematic was found in Epic Games Launcher up to 17.2.1. This vulnerability affects unknown code in the library profapi.dll of the component Installer. The manipulation leads to untrusted search path. Attacking locally is a requirement. The… | ||
| CVE-2004-0608 | 0.09 | — | 0.74 | Dec 6, 2004 | The Unreal Engine, as used in DeusEx 1.112fm and earlier, Devastation 390 and earlier, Mobile Forces 20000 and earlier, Nerf Arena Blast 1.2 and earlier, Postal 2 1337 and earlier, Rune 107 and earlier, Tactical Ops 3.4.0 and earlier, Unreal 1 226f and earlier, Unreal II XMP… | |||
| CVE-2008-3409 | 0.04 | — | 0.11 | Jul 31, 2008 | Buffer overflow in Unreal Tournament 3 1.3beta4 and earlier allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a UDP packet containing a large value in a certain size field, followed by a data string… | |||
| CVE-2008-3396 | 0.04 | — | 0.08 | Jul 31, 2008 | Unreal Tournament 2004 (UT2004) 3369 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a certain sequence of malformed packets. | |||
| CVE-2004-1805 | 0.04 | — | 0.06 | Dec 31, 2004 | Format string vulnerability in games using the Epic Games Unreal Engine 436 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in class names. | |||
| CVE-2008-7015 | 0.03 | — | 0.03 | Aug 19, 2009 | Unreal engine 3, as used in Unreal Tournament 3 1.3, Frontlines: Fuel of War 1.1.1, and other products, allows remote attackers to cause a denial of service (server exit) via a packet with a large length value that triggers a memory allocation failure. | |||
| CVE-2008-7011 | 0.03 | — | 0.02 | Aug 19, 2009 | The Unreal engine, as used in Unreal Tournament 3 1.3, Unreal Tournament 2003 and 2004, Dead Man's Hand, Pariah, WarPath, Postal2, and Shadow Ops, allows remote authenticated users to cause a denial of service (server exit) via multiple file downloads from the server, which… | |||
| CVE-2008-4243 | 0.03 | — | 0.04 | Sep 25, 2008 | Directory traversal vulnerability in ImageServer (aka UTImageServer) in WebAdmin before 1.7 for Epic Games Unreal Tournament 3 (UT3) 1.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI. | |||
| CVE-2007-4442 | 0.03 | — | 0.04 | Aug 21, 2007 | Stack-based buffer overflow in the logging function in the Unreal engine, possibly 2003 and 2004, as used in the internal web server, allows remote attackers to cause a denial of service (application crash) via a request for a long .gif filename in the images/ directory, related… | |||
| CVE-2004-1958 | 0.03 | — | 0.02 | Dec 31, 2004 | Directory traversal vulnerability in manifest.ini in Unreal engine allows remote attackers to overwrite arbitrary files via .. (dot dot) sequences in a UMOD (Unreal MOD) file. | |||
| CVE-2003-1430 | 0.03 | — | 0.03 | Dec 31, 2003 | Directory traversal vulnerability in Unreal Tournament Server 436 and earlier allows remote attackers to access known files via a ".." (dot dot) in an unreal:// URL. | |||
| CVE-2003-1431 | 0.03 | — | 0.05 | Dec 31, 2003 | Buffer overflow in Epic Games Unreal Engine 226f through 436 allows remote attackers to cause a denial of service (crash) via a long host string in the Unreal URL. | |||
| CVE-2003-1432 | 0.01 | — | 0.08 | Dec 31, 2003 | Epic Games Unreal Engine 226f through 436 allows remote attackers to cause a denial of service (CPU consumption or crash) and possibly execute arbitrary code via (1) a packet with a negative size value, which is treated as a large positive number during memory allocation, or (2)… | |||
| CVE-2024-11872 | 0.00 | — | 0.00 | Dec 11, 2024 | Epic Games Launcher Incorrect Default Permissions Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Epic Games Launcher. An attacker must first obtain the ability to execute low-privileged code… | |||
| CVE-2018-17707 | 0.00 | — | 0.03 | Jan 24, 2019 | This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Epic Games Launcher versions prior to 8.2.2. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.… | |||
| CVE-2010-2702 | 0.00 | — | 0.05 | Jul 12, 2010 | Buffer overflow in the UGameEngine::UpdateConnectingMessage function in the Unreal engine 1, 2, and 2.5, as used in multiple games including Unreal Tournament 2004, Unreal tournament 2003, Postal 2, Raven Shield, and SWAT4, when downloads are enabled, allows remote attackers to… | |||
| CVE-2008-6441 | 0.00 | — | 0.04 | Mar 9, 2009 | Format string vulnerability in the Epic Games Unreal engine client, as used in multiple games, allows remote servers to execute arbitrary code via (1) the CLASS parameter in a DLMGR command, (2) a malformed package (PKG), and possibly (3) the LEVEL parameter in a WELCOME command. |
- risk 0.57cvss 8.8epss 0.00
A local privilege escalation vulnerability exists during the installation of Epic Games Store via the Microsoft Store. A low-privilege user can replace a DLL file during the installation process, which may result in unintended elevation of privileges.
- risk 0.57cvss 8.8epss 0.00
Epic Games Psyonix Rocket League <=1.95 contains an insecure permissions vulnerability that allows authenticated users to modify executable files with full access permissions. Attackers can leverage the 'F' (Full) flag for the 'Authenticated Users' group to change executable…
- risk 0.55cvss 8.4epss 0.00
Epic Games Easy Anti-Cheat 4.0 contains an unquoted service path vulnerability that allows local non-privileged users to execute arbitrary code with elevated system privileges. Attackers can exploit the service configuration by inserting malicious code in the system root path…
- risk 0.29cvss 4.5epss 0.00
A vulnerability classified as problematic was found in Epic Games Launcher up to 17.2.1. This vulnerability affects unknown code in the library profapi.dll of the component Installer. The manipulation leads to untrusted search path. Attacking locally is a requirement. The…
- CVE-2004-0608Dec 6, 2004risk 0.09cvss —epss 0.74
The Unreal Engine, as used in DeusEx 1.112fm and earlier, Devastation 390 and earlier, Mobile Forces 20000 and earlier, Nerf Arena Blast 1.2 and earlier, Postal 2 1337 and earlier, Rune 107 and earlier, Tactical Ops 3.4.0 and earlier, Unreal 1 226f and earlier, Unreal II XMP…
- CVE-2008-3409Jul 31, 2008risk 0.04cvss —epss 0.11
Buffer overflow in Unreal Tournament 3 1.3beta4 and earlier allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a UDP packet containing a large value in a certain size field, followed by a data string…
- CVE-2008-3396Jul 31, 2008risk 0.04cvss —epss 0.08
Unreal Tournament 2004 (UT2004) 3369 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a certain sequence of malformed packets.
- CVE-2004-1805Dec 31, 2004risk 0.04cvss —epss 0.06
Format string vulnerability in games using the Epic Games Unreal Engine 436 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in class names.
- CVE-2008-7015Aug 19, 2009risk 0.03cvss —epss 0.03
Unreal engine 3, as used in Unreal Tournament 3 1.3, Frontlines: Fuel of War 1.1.1, and other products, allows remote attackers to cause a denial of service (server exit) via a packet with a large length value that triggers a memory allocation failure.
- CVE-2008-7011Aug 19, 2009risk 0.03cvss —epss 0.02
The Unreal engine, as used in Unreal Tournament 3 1.3, Unreal Tournament 2003 and 2004, Dead Man's Hand, Pariah, WarPath, Postal2, and Shadow Ops, allows remote authenticated users to cause a denial of service (server exit) via multiple file downloads from the server, which…
- CVE-2008-4243Sep 25, 2008risk 0.03cvss —epss 0.04
Directory traversal vulnerability in ImageServer (aka UTImageServer) in WebAdmin before 1.7 for Epic Games Unreal Tournament 3 (UT3) 1.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI.
- CVE-2007-4442Aug 21, 2007risk 0.03cvss —epss 0.04
Stack-based buffer overflow in the logging function in the Unreal engine, possibly 2003 and 2004, as used in the internal web server, allows remote attackers to cause a denial of service (application crash) via a request for a long .gif filename in the images/ directory, related…
- CVE-2004-1958Dec 31, 2004risk 0.03cvss —epss 0.02
Directory traversal vulnerability in manifest.ini in Unreal engine allows remote attackers to overwrite arbitrary files via .. (dot dot) sequences in a UMOD (Unreal MOD) file.
- CVE-2003-1430Dec 31, 2003risk 0.03cvss —epss 0.03
Directory traversal vulnerability in Unreal Tournament Server 436 and earlier allows remote attackers to access known files via a ".." (dot dot) in an unreal:// URL.
- CVE-2003-1431Dec 31, 2003risk 0.03cvss —epss 0.05
Buffer overflow in Epic Games Unreal Engine 226f through 436 allows remote attackers to cause a denial of service (crash) via a long host string in the Unreal URL.
- CVE-2003-1432Dec 31, 2003risk 0.01cvss —epss 0.08
Epic Games Unreal Engine 226f through 436 allows remote attackers to cause a denial of service (CPU consumption or crash) and possibly execute arbitrary code via (1) a packet with a negative size value, which is treated as a large positive number during memory allocation, or (2)…
- CVE-2024-11872Dec 11, 2024risk 0.00cvss —epss 0.00
Epic Games Launcher Incorrect Default Permissions Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Epic Games Launcher. An attacker must first obtain the ability to execute low-privileged code…
- CVE-2018-17707Jan 24, 2019risk 0.00cvss —epss 0.03
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Epic Games Launcher versions prior to 8.2.2. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.…
- CVE-2010-2702Jul 12, 2010risk 0.00cvss —epss 0.05
Buffer overflow in the UGameEngine::UpdateConnectingMessage function in the Unreal engine 1, 2, and 2.5, as used in multiple games including Unreal Tournament 2004, Unreal tournament 2003, Postal 2, Raven Shield, and SWAT4, when downloads are enabled, allows remote attackers to…
- CVE-2008-6441Mar 9, 2009risk 0.00cvss —epss 0.04
Format string vulnerability in the Epic Games Unreal engine client, as used in multiple games, allows remote servers to execute arbitrary code via (1) the CLASS parameter in a DLMGR command, (2) a malformed package (PKG), and possibly (3) the LEVEL parameter in a WELCOME command.