bitwize music — Security Advisorieshttps://www.bitwizemusic.com/security/advisories/Vulnerability disclosures by bitwize under the BVE identifier scheme.Hugoen-usThu, 30 Apr 2026 00:00:00 +0000BVE-2026-0007 — STIGQter: Local Code Execution via Crafted .stigqter Project File + Export HTML (User Interaction Required)https://www.bitwizemusic.com/security/advisories/bve-2026-0007/Thu, 30 Apr 2026 00:00:00 +0000https://www.bitwizemusic.com/security/advisories/bve-2026-0007/path-traversallocal-code-executionuser-interactionqtsystemdpolyglotSTIGQter writes per-STIG HTML files using filenames pulled directly from the SQLite STIG.fileName column of the loaded .stigqter project file. Combined with an unescaped variables.HTMLHeader value written into each output file, an attacker who can convince a user to open a crafted .stigqter and click Export HTML can drop attacker-controlled content at attacker-chosen absolute paths — including a polyglot HTML / systemd unit that runs arbitrary code on the next systemctl --user daemon-reload. Fixed upstream on 2026-04-24.

Status: Fixed. Severity: High. Vendor: squinky86 (Jon Hood). Product: STIGQter.

CVE: CVE-2026-42881

View advisory

]]>BVE-2026-0008 — Pendinghttps://www.bitwizemusic.com/security/advisories/bve-2026-0008/Mon, 27 Apr 2026 00:00:00 +0000https://www.bitwizemusic.com/security/advisories/bve-2026-0008/A vulnerability discovered on 2026-04-27 and submitted to the Zero Day Initiative the same day for coordinated disclosure. Full details will be published here once disclosure is complete.

Status: Pending. Severity: Critical.

View advisory

]]>BVE-2026-0006 — Pendinghttps://www.bitwizemusic.com/security/advisories/bve-2026-0006/Wed, 22 Apr 2026 00:00:00 +0000https://www.bitwizemusic.com/security/advisories/bve-2026-0006/code-executionlocalA local code execution vulnerability discovered on 2026-04-19. It has been reported to the vendor, with a CVE requested on 2026-04-22. Full details will be published here once disclosure is complete.

Status: Pending. Severity: Critical.

View advisory

]]>BVE-2026-0005 — Pendinghttps://www.bitwizemusic.com/security/advisories/bve-2026-0005/Wed, 22 Apr 2026 00:00:00 +0000https://www.bitwizemusic.com/security/advisories/bve-2026-0005/rceunauthenticatedA critical unauthenticated remote code execution vulnerability discovered on 2026-04-19 and reported to the Zero Day Initiative (ZDI) the same day. Full details will be published here once disclosure is complete.

Status: Pending. Severity: Critical.

View advisory

]]>BVE-2026-0004 — Pendinghttps://www.bitwizemusic.com/security/advisories/bve-2026-0004/Wed, 22 Apr 2026 00:00:00 +0000https://www.bitwizemusic.com/security/advisories/bve-2026-0004/rceunauthenticatedA critical unauthenticated remote code execution vulnerability discovered on 2026-04-19 and reported to the Zero Day Initiative (ZDI) the same day. Full details will be published here once disclosure is complete.

Status: Pending. Severity: Critical.

View advisory

]]>BVE-2026-0002 — ok_json: heap buffer overread in UTF-8 validationhttps://www.bitwizemusic.com/security/advisories/bve-2026-0002/Wed, 22 Apr 2026 00:00:00 +0000https://www.bitwizemusic.com/security/advisories/bve-2026-0002/heap-buffer-overreadjson-parsermemory-safetyutf-8A heap buffer overread in ok_json's UTF-8 validator. A multi-byte UTF-8 lead byte at the end of input causes the validator to read continuation bytes past the end of the caller-supplied buffer. Fixed upstream on 2026-04-14.

Status: Fixed. Severity: High. Vendor: ionux. Product: ok_json.

View advisory

]]>BVE-2026-0003 — ok_json: heap buffer overread in true/false/null keyword matchinghttps://www.bitwizemusic.com/security/advisories/bve-2026-0003/Wed, 22 Apr 2026 00:00:00 +0000https://www.bitwizemusic.com/security/advisories/bve-2026-0003/heap-buffer-overreadjson-parsermemory-safetyA heap buffer overread in ok_json's keyword matcher. Input shorter than the expected keyword (`true`, `false`, `null`) causes `okj_match` to read past the end of the caller-supplied buffer. Fixed upstream on 2026-04-14.

Status: Fixed. Severity: High. Vendor: ionux. Product: ok_json.

View advisory

]]>BVE-2026-0001 — ok_json: heap buffer overread in \uXXXX escape parsinghttps://www.bitwizemusic.com/security/advisories/bve-2026-0001/Wed, 22 Apr 2026 00:00:00 +0000https://www.bitwizemusic.com/security/advisories/bve-2026-0001/heap-buffer-overreadjson-parsermemory-safetyA heap buffer overread in ok_json's `\uXXXX` escape parser. A truncated `\u` escape at the end of input causes the parser to read past the end of the caller-supplied buffer while consuming hex digits. Fixed upstream on 2026-04-14.

Status: Fixed. Severity: High. Vendor: ionux. Product: ok_json.

View advisory

]]>