Vinchin Backup & Recovery through 9.0.0.86562 contains a stack buffer overflow vulnerability in the ModuleHandShake function of the agentlink_server service that allows unauthenticated remote attackers to overwrite the saved return address by supplying an oversized _listen_uuid field that is measured via strlen() and copied without bounds checking into a fixed-length stack buffer using strcpy(). Attackers can send a crafted request with a malicious _listen_uuid value to corrupt the stack and achieve process crash or potential control flow hijack without requiring authentication.
CVE-2026-60095
Score 6.5 from GitHub Security Advisory published 2026-07-09. a secondary CVSS source baseline 6.5; sources differ by 0.0.
- Lower severity and no public exploit yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 6.5
- EG Score
- 6.5(high)
- EPSS
- 37.1%
- KEV
- Not listed
Published
July 9, 2026
Last Modified
July 10, 2026
Advisory Details (3)
Auto-updated Jul 9, 2026Vinchin Backup & Recovery 9.0.0.86562 Stack Buffer Overflow via ModuleHandShake | Advisories | VulnCheck
https://www.vulncheck.com/advisories/vinchin-backup-recovery-stack-buffer-overflow-via-modulehandshakeVinchin Backup & Recovery 9.0: What's New? | Vinchin
https://www.vinchin.com/news/vinchin-backup-recovery-9-0.htmlCODE WHITE | Red Teaming & Attack Surface Management
https://code-white.com/public-vulnerability-list/Vendor Advisories for CVE-2026-60095(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 18× in last 7d / 18× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-14 09:34 UTCEG score recompute
- 2026-07-14 09:34 UTCGHSA enrichment
- 2026-07-13 22:31 UTCEPSS rescore
- 2026-07-13 10:19 UTCEG score recompute
- 2026-07-13 10:19 UTCGHSA enrichment
- 2026-07-13 06:13 UTCEPSS rescore
- 2026-07-13 06:13 UTCEPSS rescore
- 2026-07-12 11:07 UTCEG score recompute
- 2026-07-12 11:07 UTCGHSA enrichment
- 2026-07-12 05:46 UTCEPSS rescore
- 2026-07-11 11:55 UTCEG score recompute
- 2026-07-11 11:55 UTCGHSA enrichment
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-10 12:43 UTCEG score recompute
- 2026-07-10 12:43 UTCGHSA enrichment
- 2026-07-09 13:31 UTCEG score recompute
- 2026-07-09 13:30 UTCMITRE cvelistV5first tracked
Related CVEs(same CWE)
Same CWE
10 shownCWE-121
- CVE-2012-10058EG 10.0CRITICAL
- CVE-2010-20113EG 9.8CRITICAL
- CVE-2010-20121EG 9.8CRITICAL
- CVE-2012-10060EG 9.8CRITICAL
- CVE-2012-10023EG 9.8CRITICAL
- CVE-2013-10042EG 9.8CRITICAL
- CVE-2012-10021EG 9.8CRITICAL
- CVE-2014-125117EG 9.8EPSS 91%CRITICAL
- CVE-2017-14854NVD 9.1EG 9.8EPSS 94%CRITICAL
- CVE-2015-1006EG 9.8EPSS 92%CRITICAL
Frequently asked(5)
What is CVE-2026-60095?
When was CVE-2026-60095 disclosed?
Is CVE-2026-60095 actively exploited?
What is the CVSS score of CVE-2026-60095?
How do I remediate CVE-2026-60095?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-60095
Is Your Infrastructure Affected by CVE-2026-60095?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.