CVE-2025-49148

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-49148

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49148.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-49148

Aliases

GHSA-rc47-h83g-2r8j

Published

2025-06-11T14:53:48.591Z

Modified

2026-04-12T17:04:17.169798Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

ClipShare Server Allows Local Privilege Escalation via DLL Hijacking

Details

ClipShare is a lightweight and cross-platform tool for clipboard sharing. Prior to 3.8.5, ClipShare Server for Windows uses the default Windows DLL search order and loads system libraries like CRYPTBASE.dll and WindowsCodecs.dll from its own directory before the system path. A local, non-privileged user who can write to the folder containing clip_share.exe can place malicious DLLs there, leading to arbitrary code execution in the context of the server, and, if launched by an Administrator (or another elevated user), it results in a reliable local privilege escalation. This vulnerability is fixed in 3.8.5.

Database specific

{
    "cwe_ids": [
        "CWE-427"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49148.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/thevindu-w/clip_share_server

Affected ranges

Type

GIT

Repo

https://github.com/thevindu-w/clip_share_server

Events

Introduced

Fixed

04191058d5e769ecf2979531811e41745732edda

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.8.5"
        }
    ]
}

Affected versions

v2.*

v2.0

v2.1

v2.2

v2.3

v2.4

v2.5

v2.5.1

v2.6.0

v2.7.0

v2.8.0

v2.9.0

v3.*

v3.0.0

v3.1.0

v3.2.0

v3.2.1

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.4.0

v3.5.0

v3.5.1

v3.5.2

v3.6.0

v3.7.0

v3.8.0

v3.8.1

v3.8.2

v3.8.3

v3.8.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49148.json"

vanir_signatures_modified

"2026-04-12T17:04:17Z"

vanir_signatures

[
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "200711091863444710263809425127183006646",
                "335400326475178537662265789418024315391",
                "255829493109095807253039535406465413637",
                "125339555279777019517190265643903096412",
                "26712830335828881412686801110980781460",
                "256717724035522438274532091970655857404"
            ]
        },
        "source": "https://github.com/thevindu-w/clip_share_server/commit/04191058d5e769ecf2979531811e41745732edda",
        "id": "CVE-2025-49148-24a979d7",
        "signature_type": "Line",
        "target": {
            "file": "src/utils/utils.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 562.0,
            "function_hash": "144876014374404385599275385673227312203"
        },
        "source": "https://github.com/thevindu-w/clip_share_server/commit/04191058d5e769ecf2979531811e41745732edda",
        "id": "CVE-2025-49148-46e3ded8",
        "signature_type": "Function",
        "target": {
            "function": "cleanup",
            "file": "src/utils/utils.c"
        }
    }
]