[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-40493":6},{"stargazers_count":4,"fetched_at":5},5,"2026-04-19T02:14:11.276Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":20,"aliases":21,"duplicate_of":9,"upstream":22,"downstream":23,"duplicates":26,"related":27,"reserved_at":9,"published_at":28,"modified_at":28,"state":29,"summary":30,"references_raw":39,"kevs":51,"epss":52,"epss_history":55,"metrics":57,"affected":64},"CVE-2026-40493","SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit c930284445ea3ff94451ccd7a57c999eca3bc979, the PSD codec computes bytes-per-pixel (`bpp`) from raw header fields `channels * depth`, but the pixel buffer is allocated based on the resolved pixel format. For LAB mode with `channels=3, depth=16`, `bpp = (3*16+7)/8 = 6`, but the format `BPP40_CIE_LAB` allocates only 5 bytes per pixel. Every pixel write overshoots, causing a deterministic heap buffer overflow on every row. Commit c930284445ea3ff94451ccd7a57c999eca3bc979 contains a patch.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-787","Out-of-bounds Write","The product writes data past the end, or before the beginning, of the intended buffer.","weakness","Draft","Base","High",[],[],[],[],[24],{"_key":25},"DEBIAN-CVE-2026-40493",[],[],"2026-04-18T01:41:14.664Z","Received",{"cisa_kev":31,"cisa_ransomware":31,"cisa_vendor":9,"epss_severity":32,"epss_score":33,"severity":34,"severity_score":35,"severity_version":36,"severity_source":37,"severity_vector":38,"severity_status":29},false,"low",0.00043,"critical",9.8,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",[40,46],{"url":41,"sources":42,"tags":44},"https://github.com/HappySeaFox/sail/security/advisories/GHSA-rcqx-gc76-r9mv",[37,43],"nvd",[45],"X Refsource CONFIRM",{"url":47,"sources":48,"tags":49},"https://github.com/HappySeaFox/sail/commit/c930284445ea3ff94451ccd7a57c999eca3bc979",[37,43],[50],"X Refsource MISC",[],{"date":53,"score":33,"percentile":54},"2026-04-18",0.12905,[56],{"date":53,"score":33,"percentile":54},[58,62],{"source":37,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":59,"cvss_v4_0":9},{"baseScore":35,"baseSeverity":60,"vectorString":38,"impactScore":35,"exploitabilityScore":61},"CRITICAL",10,{"source":43,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":63,"cvss_v4_0":9},{"baseScore":35,"baseSeverity":60,"vectorString":38,"impactScore":35,"exploitabilityScore":61},[65],{"ecosystem":9,"name":66,"vendor":67,"product":66,"cpe_part":68,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":69},"sail","happyseafox","a",[70],{"version":71,"is_range":72,"range_type":37,"version_start":9,"version_start_type":9,"version_end":73,"version_end_type":74,"fixed_in":9},"\u003C c930284445ea3ff94451ccd7a57c999eca3bc979",true,"c930284445ea3ff94451ccd7a57c999eca3bc979","excluding"]