CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-60095

mediumCVSS 6.5covered by 1 sourcefirst seen 2026-07-09
Vinchin Backup & Recovery through 9.0.0.86562 contains a stack buffer overflow vulnerability in the ModuleHandShake function of the agentlink_server service that allows unauthenticated remote attackers to overwrite the saved return address by supplying an oversized _listen_uuid field that is measured via strlen() and copied without bounds checking into a fixed-length stack buffer using strcpy(). Attackers can send a crafted request with a malicious _listen_uuid value to corrupt the stack and achieve process crash or potential control flow hijack without requiring authentication.

⚡ Watch CVE-2026-60095

Get an email if CVE-2026-60095 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-60095

CVE.org record

Embed the live status

CVE-2026-60095 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-60095 status](https://www.csirts.com/badge/CVE-2026-60095)](https://www.csirts.com/cve/CVE-2026-60095)