Gpac Gpac

  1. Vendors
  2. Gpac

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Gpac product.

RSS Feeds for Gpac security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Gpac products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Gpac Sorted by Most Security Vulnerabilities since 2018

Gpac376 vulnerabilities

Gpac Mp4box55 vulnerabilities

By the Year

In 2026 there have been 58 vulnerabilities in Gpac with an average score of 5.7 out of ten. Last year, in 2025 Gpac had 6 security vulnerabilities published. That is, 52 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.50




Year Vulnerabilities Average Score
2026 58 5.70
2025 6 6.20
2024 17 6.90
2023 84 6.76
2022 98 6.20
2021 116 6.75
2020 9 5.50
2019 23 7.03
2018 3 9.80

It may take a day or so for new Gpac vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Gpac Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-60464 Jun 25, 2026
Use-After-Free causing DoS in MP4Box before 26.02.0 via crafted MPEG-2 TS A use-after-free in the gf_sei_load_from_state_internal function (/filters/sei_load.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG-2 TS file.
Mp4box
CVE-2025-60465 Jun 25, 2026
GPAC MP4Box < v26.02.0 UF in gf_filter_pid_inst_swap causing DoS A use-after-free in the gf_filter_pid_inst_swap function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
Mp4box
CVE-2025-60474 Jun 24, 2026
GPAC MP4Box <26.02.0 Buffer Overflow in gf_media_import Causes DoS A buffer overflow in the gf_media_import function (/media_tools/av_parsers.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input.
Mp4box
CVE-2025-60468 Jun 24, 2026
GPAC MP4Box <2.5DEV> UseAfterFree via PID Swap/Delete (buffer overflow) GPAC Multimedia Open Source Project GPAC Project/MP4Box 2.5-DEV-rev1593-gfe88c3545-master is affected by: Buffer Overflow. The impact is: cause a denial of service (local). The component is: filter_core/filter_pid.c (L:574-580): function gf_filter_pid_inst_swap_delete_task() improperly accesses freed objects during PID instance swap/delete cleanup, leading to heap use-after-free. The attack vector is: Local (AV:L): a local, authenticated user who processes a specially crafted MPEG-2 TS/MP4 file with MP4Box can trigger the bug during filter teardown (PID instance swap/delete), causing a crash. ¶¶ In GPAC s MP4Box, gf_filter_pid_inst_swap_delete_task() in filter_core/filter_pid.c may dereference objects after they have been freed when cleaning up PID instances after a swap/delete operation. Crafted inputs (e.g., malformed MPEG-2 TS) can trigger a heap use-after-free and crash; exploitation may be possible.
Mp4box
CVE-2025-60466 Jun 24, 2026
Use-after-free in gf_filter_pid_get_packet (MP4Box <26.02.0) leads to DoS A use-after-free in the gf_filter_pid_get_packet function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
Mp4box
CVE-2025-60471 Jun 24, 2026
GPAC MP4Box DoS via useafterfree before 26.02.0 A use-after-free in the gf_filter_pid_reconfigure_task_discard function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
Mp4box
CVE-2025-60473 Jun 24, 2026
MP4Box <26.02: NULL Pointer Deref in gf_filter_in_parent_chain Leads to DoS A NULL pointer dereference in the gf_filter_in_parent_chain function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted file.
Mp4box
CVE-2025-60467 Jun 24, 2026
Use-After-Free in MP4Box <26.02.0 Causing DoS via Crafted Media A use-after-free in the gf_filter_pid_inst_swap_delete_task function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
Mp4box
CVE-2025-55639 Jun 23, 2026
GPAC MP4Box v2.4 NULL Ptr Deref DoS via crafted MP4 GPAC MP4Box v2.4 was discovered to contain a NULL pointer dereference in the gf_isom_add_track_kind() function at isomedia/isom_write.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
Mp4box
CVE-2025-55663 Jun 15, 2026
GPAC MP4Box v2.4 DoS via Segfault in Track_SetStreamDescriptor A segmentation violation in the Track_SetStreamDescriptor function (isomedia/track.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Mp4box
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.