Gpac Gpac

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Gpac product.

RSS Feeds for Gpac security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Gpac products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Gpac Sorted by Most Security Vulnerabilities since 2018

Gpac383 vulnerabilities

Gpac Mp4box55 vulnerabilities

By the Year

In 2026 there have been 65 vulnerabilities in Gpac with an average score of 5.5 out of ten. Last year, in 2025 Gpac had 6 security vulnerabilities published. That is, 59 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.73




Year Vulnerabilities Average Score
2026 65 5.47
2025 6 6.20
2024 17 6.90
2023 84 6.76
2022 98 6.20
2021 116 6.75
2020 9 5.50
2019 23 7.03
2018 3 9.80

It may take a day or so for new Gpac vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Gpac Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-15185 Jul 09, 2026
OOB Read in GPAC MP4Box vobsub_read_idx26.03-DEV A vulnerability was determined in GPAC 26.03-DEV. This affects the function vobsub_read_idx of the file /src/media_tools/vobsub.c of the component MP4Box. Executing a manipulation of the argument num_langs can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called 532097084729a936bcdf6a27c41003f3bd7dc3ff. It is best practice to apply a patch to resolve this issue. Two different commits were applied to fix this issue.
Gpac
CVE-2026-50810 Jul 07, 2026
GPAC MPD Parsing NullP Deref Causing DoS A NULL pointer dereference in smooth_parse_stream_index() in src/media_tools/mpd.c in GPAC master HEAD before commit b35c61f104b85fbb16520ac2838d5d2ef70845b5 allows attackers to cause a denial of service
Gpac
CVE-2025-15668 Jul 06, 2026
Heap Buffer Overflow in GPAC MP4Box sgpd_del_entry A vulnerability was identified in GPAC up to b40ce70f5. This issue affects the function sgpd_del_entry of the file src/isomedia/box_code_base.c of the component MP4Box. Such manipulation of the argument data leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit is publicly available and might be used. The name of the patch is f29f955f2a3b5e8e507caad3e52319f961bf37bf. It is advisable to implement a patch to correct this issue.
Gpac
CVE-2025-15667 Jul 06, 2026
GPAC MP4Box double free in gf_isom_nalu_sample_rewrite before 2.5-DEV A vulnerability was determined in GPAC up to 2.5-DEV. This vulnerability affects the function gf_isom_nalu_sample_rewrite of the file src/isomedia/avc_ext.c of the component MP4Box. This manipulation of the argument nalu_out_bs causes double free. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. Patch name: f29f955f2a3b5e8e507caad3e52319f961bf37bf. To fix this issue, it is recommended to deploy a patch.
Gpac
CVE-2026-14801 Jul 06, 2026
GPAC 26.03-DEV Divide-by-zero in TeXML File Handler txtin_probe_duration A security vulnerability has been detected in GPAC 26.03-DEV-rev342-g80071f700-master. The impacted element is the function txtin_probe_duration of the file src/filters/load_text.c of the component TeXML File Handler. Such manipulation of the argument txml_timescale leads to divide by zero. An attack has to be approached locally. The name of the patch is 86a5191f2e750c767253e27ed6cfd6d547afebc2. A patch should be applied to remediate this issue.
Gpac
CVE-2026-14790 Jul 06, 2026
GPAC 26.02.0 NULL-DEREF via nhmldump_send_frame in Media File Handler A flaw has been found in GPAC 26.02.0. This affects the function nhmldump_send_frame of the file src/filters/write_nhml.c of the component Media File Handler. Executing a manipulation can lead to null pointer dereference. The attack requires local access. The exploit has been published and may be used. This patch is called bd1d94e70e3bef364c07c5a1d94eca5c9f56e160. A patch should be applied to remediate this issue. The project explains: "I would consider most of these more as bugs than vulns but anyway they're good to fix".
Gpac
CVE-2026-13523 Jun 29, 2026
GPAC 26.02.0 ISOBMFF Parser Local Exec via Base Encoding (CVE-2026-13523) A weakness has been identified in GPAC up to 26.02.0. This affects an unknown part of the file src/utils/base_encoding.c of the component ISOBMFF Parser. Executing a manipulation can lead to highly compressed data. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. This patch is called 297f2d8d1f493d8b241330533cd47f7da758aeb3. A patch should be applied to remediate this issue. The vendor confirms: "We added a check on inflate output size, if it surpasses 32 times the input size we stop in error. This value could be adjusted later."
Gpac
CVE-2025-60464 Jun 25, 2026
Use-After-Free causing DoS in MP4Box before 26.02.0 via crafted MPEG-2 TS A use-after-free in the gf_sei_load_from_state_internal function (/filters/sei_load.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG-2 TS file.
Mp4box
CVE-2025-60465 Jun 25, 2026
GPAC MP4Box < v26.02.0 UF in gf_filter_pid_inst_swap causing DoS A use-after-free in the gf_filter_pid_inst_swap function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
Mp4box
CVE-2025-60468 Jun 24, 2026
GPAC MP4Box <2.5DEV> UseAfterFree via PID Swap/Delete (buffer overflow) GPAC Multimedia Open Source Project GPAC Project/MP4Box 2.5-DEV-rev1593-gfe88c3545-master is affected by: Buffer Overflow. The impact is: cause a denial of service (local). The component is: filter_core/filter_pid.c (L:574-580): function gf_filter_pid_inst_swap_delete_task() improperly accesses freed objects during PID instance swap/delete cleanup, leading to heap use-after-free. The attack vector is: Local (AV:L): a local, authenticated user who processes a specially crafted MPEG-2 TS/MP4 file with MP4Box can trigger the bug during filter teardown (PID instance swap/delete), causing a crash. ¶¶ In GPAC s MP4Box, gf_filter_pid_inst_swap_delete_task() in filter_core/filter_pid.c may dereference objects after they have been freed when cleaning up PID instances after a swap/delete operation. Crafted inputs (e.g., malformed MPEG-2 TS) can trigger a heap use-after-free and crash; exploitation may be possible.
Mp4box
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.