CVE-2026-60095
Vinchin Backup & Recovery 9.0.0.86562 Stack Buffer Overflow via ModuleHandShake
CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th
Vinchin Backup & Recovery through 9.0.0.86562 contains a stack buffer overflow vulnerability in the ModuleHandShake function of the agentlink_server service that allows unauthenticated remote attackers to overwrite the saved return address by supplying an oversized _listen_uuid field that is measured via strlen() and copied without bounds checking into a fixed-length stack buffer using strcpy(). Attackers can send a crafted request with a malicious _listen_uuid value to corrupt the stack and achieve process crash or potential control flow hijack without requiring authentication.
| CWE | CWE-121 |
| Vendor | vinchin |
| Product | backup & recovery 9.0 |
| Published | Jul 9, 2026 |
| Last Updated | Jul 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for vinchin backup & recovery 9.0
Be the first to know when new medium vulnerabilities affecting vinchin backup & recovery 9.0 are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low
Affected Versions
Vinchin / Backup & Recovery 9.0
0 โค 9.0.0.86562
References
Credits
CODE WHITE GmbH