Gpac
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Gpac product.
RSS Feeds for Gpac security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Gpac products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Gpac Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 65 vulnerabilities in Gpac with an average score of 5.5 out of ten. Last year, in 2025 Gpac had 6 security vulnerabilities published. That is, 59 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.73
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 65 | 5.47 |
| 2025 | 6 | 6.20 |
| 2024 | 17 | 6.90 |
| 2023 | 84 | 6.76 |
| 2022 | 98 | 6.20 |
| 2021 | 116 | 6.75 |
| 2020 | 9 | 5.50 |
| 2019 | 23 | 7.03 |
| 2018 | 3 | 9.80 |
It may take a day or so for new Gpac vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Gpac Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-15185 | Jul 09, 2026 |
OOB Read in GPAC MP4Box vobsub_read_idx26.03-DEVA vulnerability was determined in GPAC 26.03-DEV. This affects the function vobsub_read_idx of the file /src/media_tools/vobsub.c of the component MP4Box. Executing a manipulation of the argument num_langs can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called 532097084729a936bcdf6a27c41003f3bd7dc3ff. It is best practice to apply a patch to resolve this issue. Two different commits were applied to fix this issue. |
|
| CVE-2026-50810 | Jul 07, 2026 |
GPAC MPD Parsing NullP Deref Causing DoSA NULL pointer dereference in smooth_parse_stream_index() in src/media_tools/mpd.c in GPAC master HEAD before commit b35c61f104b85fbb16520ac2838d5d2ef70845b5 allows attackers to cause a denial of service |
|
| CVE-2025-15668 | Jul 06, 2026 |
Heap Buffer Overflow in GPAC MP4Box sgpd_del_entryA vulnerability was identified in GPAC up to b40ce70f5. This issue affects the function sgpd_del_entry of the file src/isomedia/box_code_base.c of the component MP4Box. Such manipulation of the argument data leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit is publicly available and might be used. The name of the patch is f29f955f2a3b5e8e507caad3e52319f961bf37bf. It is advisable to implement a patch to correct this issue. |
|
| CVE-2025-15667 | Jul 06, 2026 |
GPAC MP4Box double free in gf_isom_nalu_sample_rewrite before 2.5-DEVA vulnerability was determined in GPAC up to 2.5-DEV. This vulnerability affects the function gf_isom_nalu_sample_rewrite of the file src/isomedia/avc_ext.c of the component MP4Box. This manipulation of the argument nalu_out_bs causes double free. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. Patch name: f29f955f2a3b5e8e507caad3e52319f961bf37bf. To fix this issue, it is recommended to deploy a patch. |
|
| CVE-2026-14801 | Jul 06, 2026 |
GPAC 26.03-DEV Divide-by-zero in TeXML File Handler txtin_probe_durationA security vulnerability has been detected in GPAC 26.03-DEV-rev342-g80071f700-master. The impacted element is the function txtin_probe_duration of the file src/filters/load_text.c of the component TeXML File Handler. Such manipulation of the argument txml_timescale leads to divide by zero. An attack has to be approached locally. The name of the patch is 86a5191f2e750c767253e27ed6cfd6d547afebc2. A patch should be applied to remediate this issue. |
|
| CVE-2026-14790 | Jul 06, 2026 |
GPAC 26.02.0 NULL-DEREF via nhmldump_send_frame in Media File HandlerA flaw has been found in GPAC 26.02.0. This affects the function nhmldump_send_frame of the file src/filters/write_nhml.c of the component Media File Handler. Executing a manipulation can lead to null pointer dereference. The attack requires local access. The exploit has been published and may be used. This patch is called bd1d94e70e3bef364c07c5a1d94eca5c9f56e160. A patch should be applied to remediate this issue. The project explains: "I would consider most of these more as bugs than vulns but anyway they're good to fix". |
|
| CVE-2026-13523 | Jun 29, 2026 |
GPAC 26.02.0 ISOBMFF Parser Local Exec via Base Encoding (CVE-2026-13523)A weakness has been identified in GPAC up to 26.02.0. This affects an unknown part of the file src/utils/base_encoding.c of the component ISOBMFF Parser. Executing a manipulation can lead to highly compressed data. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. This patch is called 297f2d8d1f493d8b241330533cd47f7da758aeb3. A patch should be applied to remediate this issue. The vendor confirms: "We added a check on inflate output size, if it surpasses 32 times the input size we stop in error. This value could be adjusted later." |
|
| CVE-2025-60464 | Jun 25, 2026 |
Use-After-Free causing DoS in MP4Box before 26.02.0 via crafted MPEG-2 TSA use-after-free in the gf_sei_load_from_state_internal function (/filters/sei_load.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG-2 TS file. |
|
| CVE-2025-60465 | Jun 25, 2026 |
GPAC MP4Box < v26.02.0 UF in gf_filter_pid_inst_swap causing DoSA use-after-free in the gf_filter_pid_inst_swap function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file. |
|
| CVE-2025-60468 | Jun 24, 2026 |
GPAC MP4Box <2.5DEV> UseAfterFree via PID Swap/Delete (buffer overflow)GPAC Multimedia Open Source Project GPAC Project/MP4Box 2.5-DEV-rev1593-gfe88c3545-master is affected by: Buffer Overflow. The impact is: cause a denial of service (local). The component is: filter_core/filter_pid.c (L:574-580): function gf_filter_pid_inst_swap_delete_task() improperly accesses freed objects during PID instance swap/delete cleanup, leading to heap use-after-free. The attack vector is: Local (AV:L): a local, authenticated user who processes a specially crafted MPEG-2 TS/MP4 file with MP4Box can trigger the bug during filter teardown (PID instance swap/delete), causing a crash. ¶¶ In GPAC s MP4Box, gf_filter_pid_inst_swap_delete_task() in filter_core/filter_pid.c may dereference objects after they have been freed when cleaning up PID instances after a swap/delete operation. Crafted inputs (e.g., malformed MPEG-2 TS) can trigger a heap use-after-free and crash; exploitation may be possible. |
|