Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
FascinatedBox lily versions 2.3 and below allow local data exposure
CVE-2026-2662
Summary
A flaw in FascinatedBox lily versions 2.3 and below could allow an attacker with local access to access and potentially expose sensitive data. This issue has been made public, so it's essential to update to the latest version of lily as soon as possible to prevent any potential exploitation.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| lily-lang | lily | <= 2.3 | – |
Original title
A weakness has been identified in FascinatedBox lily up to 2.3. This vulnerability affects the function count_transforms of the file src/lily_emitter.c. This manipulation causes out-of-bounds read....
Original description
A weakness has been identified in FascinatedBox lily up to 2.3. This vulnerability affects the function count_transforms of the file src/lily_emitter.c. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
nvd CVSS2.0
1.7
nvd CVSS3.1
7.8
nvd CVSS4.0
4.8
Vulnerability type
CWE-119
Buffer Overflow
CWE-125
Out-of-bounds Read
CWE-787
Out-of-bounds Write
- https://github.com/FascinatedBox/lily/ Product
- https://github.com/FascinatedBox/lily/issues/381 Exploit Issue Tracking Third Party Advisory
- https://github.com/oneafter/0122/blob/main/i381/repro.lily Exploit
- https://vuldb.com/?ctiid.346460 Permissions Required VDB Entry
- https://vuldb.com/?id.346460 Third Party Advisory VDB Entry
- https://vuldb.com/?submit.753166 Exploit Third Party Advisory VDB Entry
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026