VYPR

Vendor CVEs

Gpac

All CVEs

420 total · sorted by risk
  • CVE-2018-13005CriJun 29, 2018
    risk 0.64cvss 9.8epss 0.03

    An issue was discovered in MP4Box in GPAC 0.7.1. The function urn_Read in isomedia/box_code_base.c has a heap-based buffer over-read.

  • CVE-2018-1000100HigMar 6, 2018
    risk 0.51cvss 7.8epss 0.01

    GPAC MP4Box version 0.7.1 and earlier contains a Buffer Overflow vulnerability in src/isomedia/avc_ext.c lines 2417 to 2420 that can result in Heap chunks being modified, this could lead to RCE. This attack appear to be exploitable via an attacker supplied MP4 file that when run…

  • CVE-2025-55657HigJun 9, 2026
    risk 0.49cvss 7.5epss 0.00

    A NULL pointer dereference in the gf_odf_vvc_cfg_write_bs function (odf/descriptors.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

  • CVE-2025-52293HigJun 9, 2026
    risk 0.49cvss 7.5epss 0.00

    A segmentation violaton in the gf_hevc_read_sps_bs_internal function (media_tools/av_parsers.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying crafted HEVC SPS data.

  • CVE-2025-52292HigJun 9, 2026
    risk 0.49cvss 7.5epss 0.01

    A stack buffer overflow in the filein_process function (in_file.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

  • CVE-2022-47090HigJan 24, 2025
    risk 0.44cvss 7.8epss 0.00

    GPAC MP4box 2.1-DEV-rev574-g9d5bb184b contains a buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c, check needed for num_exp_tile_columns

  • CVE-2025-55642MedJun 15, 2026
    risk 0.42cvss 6.5epss 0.00

    GPAC MP4Box v2.4 was discovered to contain a floating point exception in the avidmx_process function (isomedia/isom_write.c).

  • CVE-2025-55659MedJun 9, 2026
    risk 0.42cvss 6.5epss 0.00

    A NULL pointer dereference in the ctts_box_write function (isomedia/box_code_base.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

  • CVE-2025-55658MedJun 9, 2026
    risk 0.42cvss 6.5epss 0.00

    GPAC MP4Box v2.4 was discovered to contain a floating point exception in the gf_opus_parse_packet_header function (media_tools/av_parsers.c). bThis vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

  • CVE-2025-55663MedJun 15, 2026
    risk 0.36cvss 5.5epss 0.00

    A segmentation violation in the Track_SetStreamDescriptor function (isomedia/track.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

  • CVE-2025-55661MedJun 15, 2026
    risk 0.36cvss 5.5epss 0.00

    A heap buffer overflow in the Opus audio stream parser component of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

  • CVE-2025-55660MedJun 15, 2026
    risk 0.36cvss 5.5epss 0.00

    A stack overflow in the gf_opus_read_length function (media_tools/av_parsers.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

  • CVE-2025-55652MedJun 15, 2026
    risk 0.36cvss 5.5epss 0.00

    A heap buffer overflow in the gf_isom_vp_config_new function (isomedia/avc_ext.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

  • CVE-2025-55650MedJun 15, 2026
    risk 0.36cvss 5.5epss 0.00

    A heap use-after-free in the gf_node_get_tag function (scenegraph/base_scenegraph.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

  • CVE-2025-55649MedJun 15, 2026
    risk 0.36cvss 5.5epss 0.00

    A NULL pointer dereference in the gf_media_map_esd function (media_tools/isom_tools.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

  • CVE-2025-55648MedJun 15, 2026
    risk 0.36cvss 5.5epss 0.00

    A heap buffer overflow in the gf_opus_parse_packet_header function (media_tools/av_parsers.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

  • CVE-2025-55647MedJun 15, 2026
    risk 0.36cvss 5.5epss 0.00

    An Out-of-Memory in the mp4_mux_cenc_insert_pssh function (filters/mux_isom.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

  • CVE-2025-55645MedJun 15, 2026
    risk 0.36cvss 5.5epss 0.00

    A heap buffer overflow in the gf_cenc_set_pssh function (isomedia/drm_sample.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

  • CVE-2025-55644MedJun 15, 2026
    risk 0.36cvss 5.5epss 0.00

    A heap use-after-free in the gf_node_get_tag function (scenegraph/base_scenegraph.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

  • CVE-2025-55643MedJun 15, 2026
    risk 0.36cvss 5.5epss 0.00

    A NULL pointer dereference in the TrackWriter handling component (filters/mux_isom.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

  • CVE-2025-55641MedJun 15, 2026
    risk 0.36cvss 5.5epss 0.00

    A NULL pointer dereference in the gf_isom_copy_sample_info function (isomedia/isom_write.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

  • CVE-2025-55651MedJun 9, 2026
    risk 0.36cvss 5.5epss 0.00

    A NULL pointer dereference in the gf_isom_get_user_data_count function (isomedia/isom_read.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

  • CVE-2026-4185MedMar 16, 2026
    risk 0.34cvss 6.3epss 0.00

    A vulnerability was found in GPAC up to 2.5-DEV-rev2167-gcc9d617c0-master. This vulnerability affects the function swf_def_bits_jpeg of the file src/scene_manager/swf_parse.c of the component MP4Box. The manipulation of the argument szName results in stack-based buffer overflow.…

  • CVE-2026-4016MedMar 12, 2026
    risk 0.34cvss 5.3epss 0.00

    A security vulnerability has been detected in GPAC 26.03-DEV. Affected by this vulnerability is the function svgin_process of the file src/filters/load_svg.c of the component SVG Parser. The manipulation leads to out-of-bounds write. Local access is required to approach this…

  • CVE-2026-4015MedMar 12, 2026
    risk 0.34cvss 5.3epss 0.00

    A weakness has been identified in GPAC 26.03-DEV. Affected is the function txtin_process_texml of the file src/filters/load_text.c of the component TeXML File Parser. Executing a manipulation can lead to stack-based buffer overflow. It is possible to launch the attack on the…

  • CVE-2026-33144MedMar 20, 2026
    risk 0.31cvss 5.8epss 0.00

    GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-based buffer overflow (write) vulnerability was discovered in GPAC MP4Box. The vulnerability exists in the gf_xml_parse_bit_sequence_bs function in utils/xml_bin_custom.c when processing a crafted NHML…

  • CVE-2025-60495MedJun 1, 2026
    risk 0.29cvss 5.5epss 0.00

    A segmentation violation in the gf_media_get_color_info function (/media_tools/isom_tools.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted data file.

  • CVE-2025-60486MedJun 1, 2026
    risk 0.29cvss 5.5epss 0.00

    A heap use-after-free in the dasher_process function (/filters/dasher.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG-2 file.

  • CVE-2025-60485MedJun 1, 2026
    risk 0.29cvss 5.5epss 0.00

    A segmentation violation in the gf_isom_apple_set_tag_ex function (/isomedia/isom_write.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

  • CVE-2025-60483MedJun 1, 2026
    risk 0.29cvss 5.5epss 0.00

    A NULL pointer dereference in the gf_ac4_pres_b_4_back_channels_present function (/media_tools/av_parsers.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AC4 file.

  • CVE-2025-60481MedJun 1, 2026
    risk 0.29cvss 5.5epss 0.00

    A NULL pointer dereference in the gf_odf_ac4_cfg_dsi_v1 function (/odf/descriptors.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AC4 file.

  • CVE-2025-55664MedJun 1, 2026
    risk 0.29cvss 5.5epss 0.00

    A heap buffer overflow in the m2tsdmx_send_packet function (filters/dmx_m2ts.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

  • CVE-2026-39103MedMay 5, 2026
    risk 0.29cvss 5.5epss 0.00

    Buffer Overflow vulnerability in GPAC before commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702 allows an attacker to cause a denial of service via the src/scenegraph/svg_attributes.c, svg_parse_strings(), gf_svg_parse_attribute()

  • CVE-2025-70116MedMay 27, 2026
    risk 0.28cvss 4.3epss 0.00

    A NULL pointer dereference in GPAC MP4Box: when parsing certain truncated MP4 files, an unknown/invalid stsd entry can result in missing descriptor fields (e.g., codec/mime/profile strings). gf_media_map_esd then calls strlen() on a NULL pointer, triggering a crash (ASan SEGV).

  • CVE-2026-7135MedApr 27, 2026
    risk 0.27cvss 5.3epss 0.00

    A security flaw has been discovered in GPAC up to 26.03-DEV-rev105-g8f39a1eb3-master. Affected by this vulnerability is the function elng_box_read of the file src/isomedia/box_code_base.c of the component MP4Box. Performing a manipulation of the argument elng results in…

  • CVE-2026-1418MedJan 26, 2026
    risk 0.27cvss 5.3epss 0.00

    A security vulnerability has been detected in GPAC up to 2.4.0. This affects the function gf_text_import_srt_bifs of the file src/scene_manager/text_to_bifs.c of the component SRT Subtitle Import. Such manipulation leads to out-of-bounds write. The attack needs to be performed…

  • CVE-2025-60477MedJun 3, 2026
    risk 0.26cvss 5.0epss 0.00

    A NULL pointer dereference in the gf_filter_pid_resolve_file_template_ex function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted file.

  • CVE-2026-11478LowJun 8, 2026
    risk 0.21cvss 3.3epss 0.00

    A flaw has been found in kokke tiny-regex-c up to f2632c6d9ed25272987471cdb8b70395c2460bdb. This vulnerability affects the function matchstar of the file re.c of the component Pattern Handler. This manipulation causes inefficient regular expression complexity. The attack is…

  • CVE-2026-10215MedJun 1, 2026
    risk 0.21cvss 4.3epss 0.00

    A security vulnerability has been detected in Dolibarr ERP CRM up to 23.0.1. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/api_holidays.class.php of the component Leave Request REST API. The manipulation leads to improper authorization. The…

  • CVE-2026-9572LowMay 26, 2026
    risk 0.14cvss 3.3epss 0.00

    A security vulnerability has been detected in GPAC up to 2.4.0. Affected by this issue is the function Media_GetSample of the file src/isomedia/media.c of the component MP4Box. Such manipulation of the argument cat leads to memory leak. The attack can only be performed from a…

  • CVE-2026-9567LowMay 26, 2026
    risk 0.14cvss 3.3epss 0.00

    A security flaw has been discovered in GPAC up to 2.4.0. Affected is the function MergeFragment of the file src/isomedia/isom_intern.c of the component MP4Box. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit has been…

  • CVE-2026-8124LowMay 8, 2026
    risk 0.14cvss 3.3epss 0.00

    A security vulnerability has been detected in GPAC up to 26.02.0. This affects the function sidx_box_read of the file src/isomedia/box_code_base.c. The manipulation leads to allocation of resources. The attack must be carried out locally. The exploit has been disclosed publicly…

  • CVE-2026-1417LowJan 26, 2026
    risk 0.14cvss 3.3epss 0.00

    A weakness has been identified in GPAC up to 2.4.0. Affected by this issue is the function dump_isom_rtp of the file applications/mp4box/filedump.c. This manipulation causes null pointer dereference. The attack needs to be launched locally. The exploit has been made available to…

  • CVE-2026-1416LowJan 26, 2026
    risk 0.14cvss 3.3epss 0.00

    A security flaw has been discovered in GPAC up to 2.4.0. Affected by this vulnerability is the function DumpMovieInfo of the file applications/mp4box/filedump.c. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit…

  • CVE-2026-1415LowJan 26, 2026
    risk 0.14cvss 3.3epss 0.00

    A vulnerability was identified in GPAC up to 2.4.0. Affected is the function gf_media_export_webvtt_metadata of the file src/media_tools/media_export.c. The manipulation of the argument Name leads to null pointer dereference. The attack must be carried out locally. The exploit…

  • CVE-2026-10565LowJun 2, 2026
    risk 0.13cvss 3.1epss 0.00

    A security flaw has been discovered in Open5GS up to 2.7.6. The impacted element is the function gmm_state_security_mode of the file src/amf/gmm-sm.c of the component NGAP Handover. Performing a manipulation results in race condition. The attack can be initiated remotely. The…

  • CVE-2026-13523Jun 30, 2026
    risk 0.00cvss epss

    A weakness has been identified in GPAC up to 26.02.0. This affects an unknown part of the file src/utils/base_encoding.c of the component ISOBMFF Parser. Executing a manipulation can lead to highly compressed data. The attack needs to be launched locally. The exploit has been…

  • CVE-2025-60464Jun 28, 2026
    risk 0.00cvss epss 0.00

    A use-after-free in the gf_sei_load_from_state_internal function (/filters/sei_load.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG-2 TS file.

  • CVE-2025-60465Jun 28, 2026
    risk 0.00cvss epss 0.00

    A use-after-free in the gf_filter_pid_inst_swap function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.

  • CVE-2025-60473Jun 24, 2026
    risk 0.00cvss epss 0.00

    A NULL pointer dereference in the gf_filter_in_parent_chain function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted file.

Page 1 of 9