CVE-2026-1188 — Incorrect Calculation of Buffer Size in Foundation Eclipse OMR

CWE-131 — Incorrect Calculation of Buffer Size CWE-120 — Classic Buffer Overflow CWE-1188 — Initialization of a Resource with an Insecure Default CWE-918 — Server-Side Request Forgery CWE-306 — Missing Authentication for Critical Function CWE-749 — Exposed Dangerous Method or Function CWE-668 — Resource Exposure CWE-276 — Incorrect Default Permissions CWE-321 — Use of Hard-coded Cryptographic Key CWE-22 — Path Traversal CWE-287 — Improper Authentication CWE-78 — OS Command Injection14 documents7 sources

Severity

6.9MEDIUMNVD

GHSA9.8

EPSS

0.0%

top 94.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Eclipse Foundation Eclipse OMR Eclipse OMR

Timeline

PublishedJan 29

Latest updateApr 8

Description

In the Eclipse OMR port library component since release 0.2.0, an API function to return the textual names of all supported processor features was not accounting for the separator inserted between processor features. If the output buffer supplied to this function was incorrectly sized, failing to account for the separator when determining when a write to the buffer was safe could lead to a buffer overflow. This issue is fixed in Eclipse OMR version 0.8.0.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

Affected Packages2 packages

▶NVDeclipse/omr0.2 — 0.8.0

▶CVEListV5eclipse_foundation/eclipse_omr0.2.0 — 0.8.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

openclaw-claude-bridge: sandbox is not effective - `--allowed-tools ""` does not restrict available tools↗2026-04-08

▶

GHSA

Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist↗2026-04-03

▶

GHSA

Electron: Context Isolation bypass via contextBridge VideoFrame transfer↗2026-04-03

▶

GHSA

DNS Rebinding Protection Disabled by Default in Model Context Protocol Go SDK for Servers Running on Localhost↗2026-04-01

▶

GHSA

@siteboon/claude-code-ui Vulnerable to Unauthenticated RCE via WebSocket Shell Injection↗2026-03-11

▶

📋Vendor Advisories

Red Hat

github.com/modelcontextprotocol/go-sdk: Model Context Protocol (MCP) Go SDK: DNS rebinding vulnerability allows unauthorized access↗2026-04-02

▶

Microsoft

Microsoft ACI Confidential Containers Information Disclosure Vulnerability↗2026-03-10

▶

🕵️Threat Intelligence

Wiz

CVE-2026-1188 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶