CVE-2026-2660 is a use-after-free vulnerability discovered in the FascinatedBox lily software, affecting versions 2.0 through 2.3. The flaw resides in the function shorthash_for_name within the source file src/lily_symtab.c. Use-after-free occurs when the program continues to use memory after it has been freed, leading to undefined behavior such as memory corruption, crashes, or potential arbitrary code execution. This vulnerability requires local access with low privileges (PR:L) and does not require user interaction (UI:N), making it exploitable by a local attacker or malicious insider. The CVSS 4.0 vector indicates low attack complexity and no need for authentication beyond local access. Although the CVSS score is medium (4.8), the availability of a public exploit increases the threat level. The vendor has been informed but has not yet issued a patch, leaving systems exposed. The vulnerability could be leveraged to escalate privileges or disrupt application stability, especially in environments where lily is used for development or scripting. The lack of vendor response and patch availability necessitates immediate mitigation steps by users. No known exploits in the wild have been reported yet, but the public exploit presence suggests potential future attacks.

For European organizations, this vulnerability poses a risk primarily to systems where FascinatedBox lily is installed and used, especially in development or scripting contexts. The use-after-free flaw can lead to application crashes, denial of service, or potentially arbitrary code execution if exploited successfully. This could compromise confidentiality, integrity, and availability of affected systems. Since exploitation requires local access, the threat is heightened in environments with multiple users or insufficient access controls. Organizations relying on lily for internal tooling or automation may face operational disruptions. The presence of a public exploit increases the likelihood of exploitation attempts, particularly in insider threat scenarios or compromised endpoints. The medium severity rating suggests moderate impact, but the absence of patches and vendor response could prolong exposure. European entities with sensitive or critical infrastructure using this software could see increased risk of targeted attacks or insider misuse.

1. Immediately restrict local access to systems running FascinatedBox lily to trusted users only, employing strict access control and monitoring. 2. Implement host-based intrusion detection systems (HIDS) to detect anomalous behavior or exploitation attempts related to memory corruption. 3. Isolate systems running lily in segmented network zones to limit lateral movement in case of compromise. 4. Regularly audit and review user privileges to minimize the number of users with local access. 5. Monitor public sources and vendor communications for patch releases or updates addressing CVE-2026-2660 and apply them promptly. 6. Consider deploying application whitelisting or sandboxing techniques to limit the impact of potential exploitation. 7. Educate internal users about the risks of local exploitation and enforce policies to prevent unauthorized software installation or execution. 8. If feasible, temporarily disable or replace the affected versions of lily with alternative tools until a patch is available.