Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
FascinatedBox lily: Local Code Execution after Malicious Input
CVE-2026-3392
Summary
A vulnerability in FascinatedBox lily version 2.3 or earlier allows an attacker to execute malicious code on a local system by manipulating the input to the eval_tree function. This could potentially allow an attacker to take control of your system, but only if they have physical access to it. We recommend updating to the latest version of lily as soon as possible to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| lily-lang | lily | <= 2.3 | – |
Original title
A weakness has been identified in FascinatedBox lily up to 2.3. The affected element is the function eval_tree of the file src/lily_emitter.c. This manipulation causes null pointer dereference. The...
Original description
A weakness has been identified in FascinatedBox lily up to 2.3. The affected element is the function eval_tree of the file src/lily_emitter.c. This manipulation causes null pointer dereference. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
nvd CVSS2.0
1.7
nvd CVSS3.1
5.5
nvd CVSS4.0
4.8
Vulnerability type
CWE-404
CWE-476
NULL Pointer Dereference
- https://github.com/FascinatedBox/lily/ Product
- https://github.com/FascinatedBox/lily/issues/384 Exploit Issue Tracking Vendor Advisory
- https://github.com/oneafter/0122/blob/main/i384/repro.lily Exploit
- https://vuldb.com/?ctiid.348278 Permissions Required VDB Entry
- https://vuldb.com/?id.348278 Third Party Advisory VDB Entry
- https://vuldb.com/?submit.761328 Third Party Advisory VDB Entry
Published: 1 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026