Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
FascinatedBox lily versions 2.3 and prior: Local data exposure through error reporting
CVE-2026-3390
Summary
A bug in the error reporting feature of FascinatedBox lily versions 2.3 and earlier can allow an attacker with local access to access sensitive data. This is a concern because it could potentially be exploited by someone with access to your system. We recommend upgrading to a patched version of lily to address this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| lily-lang | lily | <= 2.3 | – |
Original title
A vulnerability was identified in FascinatedBox lily up to 2.3. This issue affects the function patch_line_end of the file src/lily_build_error.c of the component Error Reporting. The manipulation ...
Original description
A vulnerability was identified in FascinatedBox lily up to 2.3. This issue affects the function patch_line_end of the file src/lily_build_error.c of the component Error Reporting. The manipulation leads to out-of-bounds read. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
nvd CVSS2.0
1.7
nvd CVSS3.1
5.5
nvd CVSS4.0
4.8
Vulnerability type
CWE-119
Buffer Overflow
CWE-125
Out-of-bounds Read
- https://github.com/FascinatedBox/lily/ Product
- https://github.com/FascinatedBox/lily/issues/382 Exploit Issue Tracking Vendor Advisory
- https://github.com/oneafter/0122/blob/main/i382/repro.lily Exploit
- https://vuldb.com/?ctiid.348276 Permissions Required VDB Entry
- https://vuldb.com/?id.348276 Third Party Advisory VDB Entry
- https://vuldb.com/?submit.761326 Third Party Advisory VDB Entry
Published: 1 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026