CVE-2026-36365
Arbitrary Code Execution in caesium-image-compressor
Publication date: 2026-05-04
Last updated on: 2026-05-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lymphatus | caesium-image-compressor | to 02da2c6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not include any details about how the vulnerability in Lymphatus caesium-image-compressor affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves local arbitrary code execution via unsafe system calls in the shutdownMachine and putMachineToSleep functions of the caesium-image-compressor software. Detection would require identifying if the affected versions (up to and including commit 02da2c6) of the software are installed and in use on the system.
Since the vulnerability is local and triggered by specific functions in the application, network detection is unlikely. Instead, detection can focus on verifying the installed version of caesium-image-compressor.
- Check the installed version or commit of caesium-image-compressor by running the application with a version command, for example: `caesium-image-compressor --version` or checking the binary metadata.
- On Linux, you can locate the binary and check its version or commit hash if available.
- Review system logs or audit logs for any suspicious execution of shutdown or sleep commands triggered by the caesium-image-compressor application.
No specific detection commands or signatures are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the caesium-image-compressor software to a version that includes the security fix replacing unsafe system() calls with safer QProcess::startDetached() calls.
If an updated version is not yet available, avoid running the vulnerable functions (shutdownMachine and putMachineToSleep) or restrict local user access to the application to trusted users only.
Monitor the official repository or advisories for the release of the patched version and apply it as soon as possible.
As a general security practice, limit local user privileges to reduce the risk of arbitrary code execution.
How can this vulnerability impact me? :
An attacker with local access could exploit this vulnerability to execute arbitrary code on the affected system. This could lead to unauthorized control over the machine, potentially allowing the attacker to disrupt operations, access sensitive data, or install malicious software.
Can you explain this vulnerability to me?
This vulnerability exists in Lymphatus caesium-image-compressor in all versions up to and including commit 02da2c6. It allows a local attacker to execute arbitrary code by exploiting the shutdownMachine and putMachineToSleep functions in the PostCompressionActions.cpp file.