CVE-2026-3391: Out-of-Bounds Read in FascinatedBox lily
CVE-2026-3391 is an out-of-bounds read vulnerability in the FascinatedBox lily software versions up to 2. 3, specifically in the clear_storages function of src/lily_emitter. c. The flaw allows a local attacker with limited privileges to read memory beyond intended boundaries, potentially exposing sensitive information. Exploitation requires local access and no user interaction, with no authentication bypass. Although the vulnerability has a medium CVSS score of 4. 8, the exploit code has been publicly released, increasing risk. No patches or vendor responses are currently available. Organizations using FascinatedBox lily should be aware of this flaw and take immediate steps to mitigate risk. The vulnerability primarily threatens environments where local access can be obtained, such as multi-user systems or shared hosting.
AI Analysis
Technical Summary
CVE-2026-3391 identifies a security vulnerability in FascinatedBox lily, an open-source or proprietary software product, affecting versions 2.0 through 2.3. The vulnerability is an out-of-bounds read occurring in the clear_storages function within the source file src/lily_emitter.c. This type of flaw arises when the program reads memory outside the allocated buffer, potentially leaking sensitive data or causing undefined behavior. The attack vector is local access with low privileges, meaning an attacker must have some level of access to the system but does not require elevated permissions or user interaction to exploit. The CVSS 4.0 vector indicates low attack complexity and no need for authentication or user interaction, but the scope is limited to local access. The vulnerability was responsibly disclosed early to the project maintainers, but no patch or response has been issued yet. Public exploit code has been released, which increases the likelihood of exploitation in the wild despite no current reports of active exploitation. The flaw could be leveraged for information disclosure or as a stepping stone for further local privilege escalation or lateral movement within compromised systems. The absence of vendor patches necessitates immediate mitigation measures by users of the affected software.
Potential Impact
The primary impact of CVE-2026-3391 is information disclosure through out-of-bounds memory reads. This can lead to leakage of sensitive data such as credentials, cryptographic keys, or other confidential information residing in adjacent memory. Although the vulnerability does not directly allow code execution or privilege escalation, attackers with local access could use the leaked data to facilitate further attacks, including privilege escalation or lateral movement within an organization's network. The requirement for local access limits the attack surface to environments where multiple users share systems or where attackers have already gained some foothold. The public availability of exploit code increases the risk of opportunistic attacks. Organizations relying on FascinatedBox lily in multi-user or shared environments face increased risk of data leakage and potential compromise of system integrity. The lack of vendor response and patches prolongs exposure and complicates remediation efforts.
Mitigation Recommendations
Since no official patches or vendor responses are currently available, organizations should implement compensating controls to reduce risk. These include restricting local access to trusted users only and enforcing strict access controls and monitoring on systems running FascinatedBox lily. Employing system-level memory protection mechanisms such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) can help mitigate exploitation impact. Regularly auditing and monitoring logs for suspicious local activity can detect attempts to exploit the vulnerability. If feasible, isolating systems running the affected software from untrusted users or networks reduces exposure. Organizations should also consider applying runtime application self-protection (RASP) or sandboxing techniques to limit the impact of out-of-bounds reads. Finally, maintain vigilance for vendor updates or community patches and apply them promptly once available.
Affected Countries
United States, Germany, France, United Kingdom, Canada, Japan, South Korea, India, Australia, Netherlands
CVE-2026-3391: Out-of-Bounds Read in FascinatedBox lily
Description
CVE-2026-3391 is an out-of-bounds read vulnerability in the FascinatedBox lily software versions up to 2. 3, specifically in the clear_storages function of src/lily_emitter. c. The flaw allows a local attacker with limited privileges to read memory beyond intended boundaries, potentially exposing sensitive information. Exploitation requires local access and no user interaction, with no authentication bypass. Although the vulnerability has a medium CVSS score of 4. 8, the exploit code has been publicly released, increasing risk. No patches or vendor responses are currently available. Organizations using FascinatedBox lily should be aware of this flaw and take immediate steps to mitigate risk. The vulnerability primarily threatens environments where local access can be obtained, such as multi-user systems or shared hosting.
AI-Powered Analysis
Technical Analysis
CVE-2026-3391 identifies a security vulnerability in FascinatedBox lily, an open-source or proprietary software product, affecting versions 2.0 through 2.3. The vulnerability is an out-of-bounds read occurring in the clear_storages function within the source file src/lily_emitter.c. This type of flaw arises when the program reads memory outside the allocated buffer, potentially leaking sensitive data or causing undefined behavior. The attack vector is local access with low privileges, meaning an attacker must have some level of access to the system but does not require elevated permissions or user interaction to exploit. The CVSS 4.0 vector indicates low attack complexity and no need for authentication or user interaction, but the scope is limited to local access. The vulnerability was responsibly disclosed early to the project maintainers, but no patch or response has been issued yet. Public exploit code has been released, which increases the likelihood of exploitation in the wild despite no current reports of active exploitation. The flaw could be leveraged for information disclosure or as a stepping stone for further local privilege escalation or lateral movement within compromised systems. The absence of vendor patches necessitates immediate mitigation measures by users of the affected software.
Potential Impact
The primary impact of CVE-2026-3391 is information disclosure through out-of-bounds memory reads. This can lead to leakage of sensitive data such as credentials, cryptographic keys, or other confidential information residing in adjacent memory. Although the vulnerability does not directly allow code execution or privilege escalation, attackers with local access could use the leaked data to facilitate further attacks, including privilege escalation or lateral movement within an organization's network. The requirement for local access limits the attack surface to environments where multiple users share systems or where attackers have already gained some foothold. The public availability of exploit code increases the risk of opportunistic attacks. Organizations relying on FascinatedBox lily in multi-user or shared environments face increased risk of data leakage and potential compromise of system integrity. The lack of vendor response and patches prolongs exposure and complicates remediation efforts.
Mitigation Recommendations
Since no official patches or vendor responses are currently available, organizations should implement compensating controls to reduce risk. These include restricting local access to trusted users only and enforcing strict access controls and monitoring on systems running FascinatedBox lily. Employing system-level memory protection mechanisms such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) can help mitigate exploitation impact. Regularly auditing and monitoring logs for suspicious local activity can detect attempts to exploit the vulnerability. If feasible, isolating systems running the affected software from untrusted users or networks reduces exposure. Organizations should also consider applying runtime application self-protection (RASP) or sandboxing techniques to limit the impact of out-of-bounds reads. Finally, maintain vigilance for vendor updates or community patches and apply them promptly once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-02-28T17:03:49.590Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69a425d832ffcdb8a21d528a
Added to database: 3/1/2026, 11:41:12 AM
Last enriched: 3/1/2026, 11:55:41 AM
Last updated: 3/1/2026, 9:31:55 PM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-3395: Code Injection in MaxSite CMS
MediumCVE-2026-3394: Memory Corruption in jarikomppa soloud
MediumCVE-2026-3393: Heap-based Buffer Overflow in jarikomppa soloud
MediumCVE-2026-3392: NULL Pointer Dereference in FascinatedBox lily
MediumCVE-2026-3390: Out-of-Bounds Read in FascinatedBox lily
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.