{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/85520?format=json","vulnerability_id":"VCID-d5bp-3xp3-uygr","summary":"A vulnerability has been found in libvips 8.19.0. This issue affects the function vips_extract_band_build of the file libvips/conversion/extract.c. The manipulation of the argument extract_band leads to out-of-bounds read. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70. To fix this issue, it is recommended to deploy a patch.","aliases":[{"alias":"CVE-2026-3283"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/106737?format=json","purl":"pkg:deb/debian/vips@8.14.1-3%2Bdeb12u3?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.14.1-3%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1075095?format=json","purl":"pkg:deb/debian/vips@8.14.1-3%2Bdeb12u3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.14.1-3%252Bdeb12u3"},{"url":"http://public2.vulnerablecode.io/api/packages/106741?format=json","purl":"pkg:deb/debian/vips@8.16.1-1%2Bdeb13u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.16.1-1%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106754?format=json","purl":"pkg:deb/debian/vips@8.18.0-3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.0-3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106740?format=json","purl":"pkg:deb/debian/vips@8.18.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1088991?format=json","purl":"pkg:deb/debian/vips@8.18.3-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.3-1%3Fdistro=trixie"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/106739?format=json","purl":"pkg:deb/debian/vips@8.10.5-2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8946-28v3-6yh7"},{"vulnerability":"VCID-cz3w-5229-yqbb"},{"vulnerability":"VCID-d5bp-3xp3-uygr"},{"vulnerability":"VCID-dfdn-svbh-5uhx"},{"vulnerability":"VCID-jy3m-nthz-g3e6"},{"vulnerability":"VCID-quau-v1s5-b3a4"},{"vulnerability":"VCID-um8m-4ww1-tke3"},{"vulnerability":"VCID-w1c6-b16t-ufcv"},{"vulnerability":"VCID-zcms-g4vq-4bgs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.10.5-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1075094?format=json","purl":"pkg:deb/debian/vips@8.10.5-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vx1-357j-6qh3"},{"vulnerability":"VCID-8946-28v3-6yh7"},{"vulnerability":"VCID-cz3w-5229-yqbb"},{"vulnerability":"VCID-d5bp-3xp3-uygr"},{"vulnerability":"VCID-dfdn-svbh-5uhx"},{"vulnerability":"VCID-jy3m-nthz-g3e6"},{"vulnerability":"VCID-quau-v1s5-b3a4"},{"vulnerability":"VCID-um8m-4ww1-tke3"},{"vulnerability":"VCID-w1c6-b16t-ufcv"},{"vulnerability":"VCID-zcms-g4vq-4bgs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.10.5-2"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3283","reference_id":"","reference_type":"","scores":[{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01287","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01295","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01291","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01283","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3283"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3283","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3283"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129310","reference_id":"1129310","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129310"},{"reference_url":"https://github.com/libvips/libvips/commit/24795bb3d19d84f7b6f5ed86451ad556c8f2fe70","reference_id":"24795bb3d19d84f7b6f5ed86451ad556c8f2fe70","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:49:06Z/"}],"url":"https://github.com/libvips/libvips/commit/24795bb3d19d84f7b6f5ed86451ad556c8f2fe70"},{"reference_url":"https://github.com/libvips/libvips/issues/4880","reference_id":"4880","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:49:06Z/"}],"url":"https://github.com/libvips/libvips/issues/4880"},{"reference_url":"https://github.com/libvips/libvips/issues/4880#issue-3944214985","reference_id":"4880#issue-3944214985","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:49:06Z/"}],"url":"https://github.com/libvips/libvips/issues/4880#issue-3944214985"},{"reference_url":"https://github.com/libvips/libvips/pull/4887","reference_id":"4887","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:49:06Z/"}],"url":"https://github.com/libvips/libvips/pull/4887"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*"},{"reference_url":"https://vuldb.com/?ctiid.348012","reference_id":"?ctiid.348012","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:49:06Z/"}],"url":"https://vuldb.com/?ctiid.348012"},{"reference_url":"https://vuldb.com/?id.348012","reference_id":"?id.348012","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:49:06Z/"}],"url":"https://vuldb.com/?id.348012"},{"reference_url":"https://github.com/libvips/libvips/","reference_id":"libvips","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:49:06Z/"}],"url":"https://github.com/libvips/libvips/"},{"reference_url":"https://vuldb.com/?submit.758863","reference_id":"?submit.758863","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:49:06Z/"}],"url":"https://vuldb.com/?submit.758863"}],"weaknesses":[{"cwe_id":119,"name":"Improper Restriction of Operations within the Bounds of a Memory Buffer","description":"The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer."},{"cwe_id":125,"name":"Out-of-bounds Read","description":"The product reads data past the end, or before the beginning, of the intended buffer."}],"exploits":[],"severity_range_score":"1.7 - 4.8","exploitability":"0.5","weighted_severity":"4.3","risk_score":2.1,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d5bp-3xp3-uygr"}