Lilypond Security Vulnerabilities and Issues — Lilypond CVE List

cve

CVE-2020-17354

LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format. NOTE: in 2.24 and later versions,...

8.6CVSS

8.7AI Score

0.001EPSS

2023-04-15 10:15 PM

23

2

cve

CVE-2020-17353

scm/define-stencil-commands.scm in LilyPond through 2.20.0, and 2.21.x through 2.21.4, when -dsafe is used, lacks restrictions on embedded-ps and embedded-svg, as demonstrated by including dangerous PostScript...

9.8CVSS

9.2AI Score

0.003EPSS

2020-08-05 02:15 PM

269

cve

CVE-2018-10992

lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument, because the GNU...

9.8CVSS

8.8AI Score

0.006EPSS

2018-05-11 10:29 PM

29

cve

CVE-2017-17523

lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file...

8.8CVSS

8.5AI Score

0.006EPSS

2017-12-11 06:29 AM

25