[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-7840":6},{"stargazers_count":4,"fetched_at":5},7,"2026-07-01T17:41:18.013Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":20,"aliases":21,"duplicate_of":9,"upstream":22,"downstream":23,"duplicates":24,"related":25,"reserved_at":9,"published_at":26,"modified_at":26,"state":27,"summary":28,"references_raw":35,"kevs":46,"epss":9,"epss_history":47,"metrics":48,"affected":52},"CVE-2026-7840","UltraVNC repeater through 1.8.2.2 contains a global buffer overflow in its embedded HTTP administration server. The functions wi_senderr() and wi_replyhdr() in repeater/webgui/webutils.c write the caller-supplied HTTP request URI into a fixed 1000-byte global buffer (hdrbuf) via unchecked sprintf calls. The HTTP receive buffer accepts URIs up to approximately 150 KB (WI_RXBUFSIZE = 153600), so an unauthenticated attacker who can reach the repeater HTTP port (default TCP 80) can overflow hdrbuf by at least 500 bytes with a single HTTP request containing a URI of 1500 bytes or longer, corrupting adjacent .bss-segment globals. The overflow occurs before any authentication check, making it reachable without credentials. A remote, unauthenticated attacker can achieve arbitrary code execution on the host running the repeater.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-787","Out-of-bounds Write","The product writes data past the end, or before the beginning, of the intended buffer.","weakness","Draft","Base","High",[],[],[],[],[],[],[],"2026-07-01T03:33:28.957Z","PUBLISHED",{"cisa_kev":29,"cisa_ransomware":29,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":30,"severity_score":31,"severity_version":32,"severity_source":33,"severity_vector":34,"severity_status":27},false,"critical",9.3,"v4.0","cve.org","CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",[36,41],{"url":37,"sources":38,"tags":39},"https://uvnc.com/",[33],[40],"Vendor Advisory",{"url":42,"sources":43,"tags":44},"https://github.com/ultravnc/UltraVNC",[33],[45],"Product",[],[],[49],{"source":33,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":50},{"baseScore":31,"baseSeverity":51,"vectorString":34,"impactScore":9,"exploitabilityScore":9},"CRITICAL",[53],{"ecosystem":9,"name":54,"vendor":55,"product":56,"cpe_part":57,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":58},"UltraVNC","uvnc","ultravnc","a",[59],{"version":60,"is_range":61,"range_type":33,"version_start":9,"version_start_type":9,"version_end":62,"version_end_type":63,"fixed_in":9},"\u003C= 1.8.2.2",true,"1.8.2.2","including"]