Aggregates CVE and security vulnerability intelligence across all Nullsoft-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk buffer overflow and vendor risk cross-site scripting and related security problems, affecting vendor surface software deployment and vendor surface production workloads scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2009-3996 | Heap-based buffer overflow in IN_MOD.DLL (aka the Module Decoder Plug-in) in Winamp before 5.57, and libmikmod 3.1.12, might allow remote attackers to execute arbitrary code via an Ultratracker file. | [email protected] | 9.3 | 9.88% | 2009-12-18 | 2026-04-23 |
| CVE-2009-3997 | Integer overflow in IN_MOD.DLL (aka the Module Decoder Plug-in) in Winamp before 5.57 might allow remote attackers to execute arbitrary code via an Oktalyzer file that triggers a heap-based buffer overflow. | [email protected] | 9.3 | 9.99% | 2009-12-18 | 2026-04-23 |
| CVE-2009-3995 | Multiple heap-based buffer overflows in IN_MOD.DLL (aka the Module Decoder Plug-in) in Winamp before 5.57, and libmikmod 3.1.12, might allow remote attackers to execute arbitrary code via (1) crafted samples or (2) crafted instrument definitions in an Impulse Tracker file. NOTE: some of these details are obtained from third party information. | [email protected] | 9.3 | 12.21% | 2009-12-18 | 2026-04-23 |
| CVE-2009-1831 | The Nullsoft Modern Skins Support module (gen_ff.dll) in Nullsoft Winamp before 5.552 allows remote attackers to execute arbitrary code via a crafted MAKI file, which triggers an incorrect sign extension, an integer overflow, and a stack-based buffer overflow. | [email protected] | 9.3 | 81.17% | 2009-05-29 | 2026-04-23 |
| CVE-2009-1791 | Heap-based buffer overflow in aiff_read_header in libsndfile 1.0.15 through 1.0.19, as used in Winamp 5.552 and possibly other media programs, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an AIFF file with an invalid header value. | [email protected] | 9.3 | 8.48% | 2009-05-26 | 2026-04-23 |
| CVE-2009-1788 | Heap-based buffer overflow in voc_read_header in libsndfile 1.0.15 through 1.0.19, as used in Winamp 5.552 and possibly other media programs, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a VOC file with an invalid header value. | [email protected] | 9.3 | 8.57% | 2009-05-26 | 2026-04-23 |
| CVE-2009-0186 | Integer overflow in libsndfile 1.0.18, as used in Winamp and other products, allows context-dependent attackers to execute arbitrary code via crafted description chunks in a CAF audio file, leading to a heap-based buffer overflow. | [email protected] | 9.3 | 3.23% | 2009-03-05 | 2026-04-23 |
| CVE-2009-0263 | Multiple buffer overflows in Winamp 5.541 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) a large Common Chunk (COMM) header value in an AIFF file and (2) a large invalid value in an MP3 file. | [email protected] | 10.0 | 17.87% | 2009-01-23 | 2026-04-23 |
| CVE-2008-3567 | Cross-zone scripting vulnerability in the NowPlaying functionality in NullSoft Winamp before 5.541 allows remote attackers to conduct cross-site scripting (XSS) attacks via an MP3 file with JavaScript in id3 tags. | [email protected] | 4.3 | 0.58% | 2008-08-10 | 2026-04-23 |
| CVE-2008-3441 | Nullsoft Winamp before 5.24 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning. | [email protected] | 7.5 | 1.08% | 2008-08-01 | 2026-04-23 |
| CVE-2007-4619 | Multiple integer overflows in Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1, as used in Winamp before 5.5 and other products, allow user-assisted remote attackers to execute arbitrary code via a malformed FLAC file that triggers improper memory allocation, resulting in a heap-based buffer overflow. | [email protected] | 9.3 | 8.15% | 2007-10-12 | 2026-04-23 |
| CVE-2007-4392 | Winamp 5.35 allows remote attackers to cause a denial of service (program stack overflow and application crash) via an M3U file that recursively includes itself. | [email protected] | 4.3 | 1.35% | 2007-08-17 | 2026-04-23 |
| CVE-2007-2498 | libmp4v2.dll in Winamp 5.02 through 5.34 allows user-assisted remote attackers to execute arbitrary code via a certain .MP4 file. NOTE: some of these details are obtained from third party information. | [email protected] | 9.3 | 9.22% | 2007-05-04 | 2026-04-23 |
| CVE-2007-2180 | Buffer overflow in Nullsoft Winamp 5.3 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted WMV file. | [email protected] | 7.1 | 9.40% | 2007-04-24 | 2026-04-23 |
| CVE-2007-1922 | The Impulse Tracker (IT) and ScreamTracker 3 (S3M) modules in IN_MOD.DLL in AOL Nullsoft Winamp 5.33 allows remote attackers to execute arbitrary code via a crafted (1) .IT or (2) .S3M file containing integer values that are used as memory offsets, which triggers memory corruption. | [email protected] | 9.3 | 15.64% | 2007-04-10 | 2026-04-23 |
| CVE-2007-1921 | LIBSNDFILE.DLL, as used by AOL Nullsoft Winamp 5.33 and possibly other products, allows remote attackers to execute arbitrary code via a crafted .MAT file that contains a value that is used as an offset, which triggers memory corruption. | [email protected] | 9.3 | 15.10% | 2007-04-10 | 2026-04-23 |
| CVE-2007-1229 | Cross-site scripting (XSS) vulnerability in the Nullsoft ShoutcastServer 1.9.7 allows remote attackers to inject arbitrary web script or HTML via the top-level URI on the Incoming interface (port 8001/tcp), which is not properly handled in the administrator interface when viewing the log file. | [email protected] | 4.3 | 4.30% | 2007-03-02 | 2026-04-23 |
| CVE-2006-5567 | Multiple heap-based buffer overflows in AOL Nullsoft WinAmp before 5.31 allow user-assisted remote attackers to execute arbitrary code via a crafted (1) ultravox-max-msg header to the Ultravox protocol handler or (2) unspecified Lyrics3 tags. | [email protected] | 9.3 | 47.00% | 2006-10-27 | 2026-04-23 |
| CVE-2006-3535 | Directory traversal vulnerability in Nullsoft SHOUTcast DSP before 1.9.7 allows remote attackers to read arbitrary files via unspecified vectors that are a "slight variation" of CVE-2006-3534. | [email protected] | 5.0 | 1.90% | 2006-07-12 | 2026-04-16 |
| CVE-2006-3534 | Directory traversal vulnerability in Nullsoft SHOUTcast DSP before 1.9.6 filters directory traversal sequences before decoding, which allows remote attackers to read arbitrary files via encoded dot dot (%2E%2E) sequences in an HTTP GET request for a file path containing "/content". | [email protected] | 7.8 | 1.25% | 2006-07-12 | 2026-04-16 |