Platform
java
Component
liuyueyi/quick-media
Fixed in
1.0.0
CVE-2026-24806 describes a Code Injection vulnerability discovered in the liuyueyi quick-media plugin, specifically within the batik-codec-fix module. This flaw allows an attacker to inject arbitrary code, potentially leading to severe consequences such as remote code execution. The vulnerability impacts versions from 0.0.0 through v1.0, and a fix is available in version v1.0.
The Code Injection vulnerability in quick-media allows attackers to inject malicious code into the application's execution flow. Successful exploitation could enable an attacker to execute arbitrary commands on the server hosting the plugin, potentially gaining complete control of the system. This could lead to data breaches, system compromise, and further lateral movement within the network. The vulnerability's location within the PNGImageEncoder.Java file suggests that malicious PNG images could be leveraged to trigger the code injection, making it a potentially widespread attack vector.
CVE-2026-24806 was publicly disclosed on 2026-01-27. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. This vulnerability highlights the importance of carefully vetting third-party plugins and dependencies for security flaws.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
The primary mitigation for CVE-2026-24806 is to immediately upgrade the quick-media plugin to version v1.0 or later. If upgrading is not immediately feasible due to compatibility issues or system downtime constraints, consider implementing temporary workarounds. While a direct WAF rule targeting the specific code injection point might be difficult to create, restricting the types of files accepted by the plugin and validating PNG image integrity can reduce the attack surface. Thoroughly review any third-party libraries used by the plugin for potential vulnerabilities.
Update to version 1.0.0 or higher to mitigate the code injection vulnerability. The update corrects the improper control in the generation of code within the SVG plugin modules, specifically in PNGImageEncoder.Java.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24806 is a Code Injection vulnerability affecting the liuyueyi quick-media plugin, allowing attackers to inject malicious code via PNGImageEncoder.Java.
You are affected if you are using quick-media versions 0.0.0 through v1.0. Check your plugin versions and upgrade immediately if vulnerable.
Upgrade the quick-media plugin to version v1.0 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
As of the current disclosure date, there are no confirmed reports of active exploitation, but vigilance is advised.
Refer to the liuyueyi quick-media project's official website or repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.