← Back

CVE-2025-15276

nvd nist
Published: Dec 31, 2025Modified: Jan 7, 2026

JSON object

Loading...
7.8
Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Exploitability: 1.8 / Impact: 5.9
Source: zdi-disclosures@trendmicro.com (Secondary)

Description

FontForge SFD File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28198.

Affected (1)

Products: Fontforge: Fontforge
Fontforge
1 product
Fontforge
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Fontforge
Version 20251009

Related CWEs

CWE-502
Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (1)

Source: zdi-disclosures@trendmicro.com
Third Party Advisory

Timeline

No history available yet.