Aggregates CVE and security vulnerability intelligence across all webassembly-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk memory corruption and vendor risk cross-site scripting and related security problems, affecting vendor surface production workloads and vendor surface software deployment scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-8257 | A vulnerability was detected in WebAssembly Binaryen up to 117. This issue affects the function IRBuilder::makeBrOn of the file src/wasm/wasm-ir-builder.cpp of the component BrOn Parser. Performing a manipulation results in reachable assertion. The attack needs to be approached locally. The exploit is now public and may be used. The patch is named 1251efbc1ea471c1311d2726b2bbe061ff2a291c. It is suggested to install a patch to address this issue. | [email protected] | 1.9 | 0.16% | 2026-05-11 | 2026-05-21 |
| CVE-2025-15412 | A security vulnerability has been detected in WebAssembly wabt up to 1.0.39. This issue affects the function wabt::Decompiler::VarName of the file /src/repro/wabt/bin/wasm-decompile of the component wasm-decompile. Such manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. Unfortunately, the project has no active maintainer at the moment. In a reply to the issue report somebody recommended to the resea | [email protected] | 1.9 | 0.18% | 2026-01-01 | 2026-04-29 |
| CVE-2025-15411 | A weakness has been identified in WebAssembly wabt up to 1.0.39. This vulnerability affects the function wabt::AST::InsertNode of the file /src/repro/wabt/bin/wasm-decompile of the component wasm-decompile. This manipulation causes memory corruption. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. Unfortunately, the project has no active maintainer at the moment. In a reply to the issue report somebody recomm | [email protected] | 1.9 | 0.18% | 2026-01-01 | 2026-04-29 |
| CVE-2025-14957 | A vulnerability was identified in WebAssembly Binaryen up to 125. This affects the function IRBuilder::makeLocalGet/IRBuilder::makeLocalSet/IRBuilder::makeLocalTee of the file src/wasm/wasm-ir-builder.cpp of the component IRBuilder. Such manipulation of the argument Index leads to null pointer dereference. Local access is required to approach this attack. The exploit is publicly available and might be used. The name of the patch is 6fb2b917a79578ab44cf3b900a6da4c27251e0d4. Applying a patch is ad | [email protected] | 1.9 | 0.18% | 2025-12-19 | 2026-04-29 |
| CVE-2025-14956 | A vulnerability was determined in WebAssembly Binaryen up to 125. Affected by this issue is the function WasmBinaryReader::readExport of the file src/wasm/wasm-binary.cpp. This manipulation causes heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. Patch name: 4f52bff8c4075b5630422f902dd92a0af2c9f398. It is recommended to apply a patch to fix this issue. | [email protected] | 1.9 | 0.18% | 2025-12-19 | 2026-04-29 |
| CVE-2025-6275 | A vulnerability was found in WebAssembly wabt up to 1.0.37. It has been declared as problematic. Affected by this vulnerability is the function GetFuncOffset of the file src/interp/binary-reader-interp.cc. The manipulation leads to use after free. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. A similar issue reported during the same timeframe was disputed by the code maintainer because it might not affect "real world wasm pro | [email protected] | 1.9 | 0.16% | 2025-06-19 | 2026-04-29 |
| CVE-2025-6274 | A vulnerability was found in WebAssembly wabt up to 1.0.37. It has been classified as problematic. Affected is the function OnDataCount of the file src/interp/binary-reader-interp.cc. The manipulation leads to resource consumption. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. A similar issue reported during the same timeframe was disputed by the code maintainer because it might not affect "real world wasm programs". Therefore, this entry might | [email protected] | 1.9 | 0.16% | 2025-06-19 | 2026-04-29 |
| CVE-2025-6273 | A vulnerability was found in WebAssembly wabt up to 1.0.37 and classified as problematic. This issue affects the function LogOpcode of the file src/binary-reader-objdump.cc. The manipulation leads to reachable assertion. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains that this issue might not affect "real world wasm programs". | [email protected] | 1.9 | 0.19% | 2025-06-19 | 2026-04-29 |
| CVE-2025-3122 | A vulnerability classified as problematic was found in WebAssembly wabt 1.0.36. Affected by this vulnerability is the function BinaryReaderInterp::BeginFunctionBody of the file src/interp/binary-reader-interp.cc. The manipulation leads to null pointer dereference. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | [email protected] | 2.3 | 0.50% | 2025-04-02 | 2025-09-23 |
| CVE-2025-2584 | A vulnerability was found in WebAssembly wabt 1.0.36. It has been declared as critical. This vulnerability affects the function BinaryReaderInterp::GetReturnCallDropKeepCount of the file wabt/src/interp/binary-reader-interp.cc. The manipulation leads to heap-based buffer overflow. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | [email protected] | 2.3 | 0.44% | 2025-03-21 | 2025-11-25 |
| CVE-2025-2368 | A vulnerability was found in WebAssembly wabt 1.0.36 and classified as critical. This issue affects the function wabt::interp::(anonymous namespace)::BinaryReaderInterp::OnExport of the file wabt/src/interp/binary-reader-interp.cc of the component Malformed File Handler. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. | [email protected] | 5.3 | 0.49% | 2025-03-17 | 2026-01-06 |
| CVE-2023-46331 | WebAssembly wabt 1.0.33 has an Out-of-Bound Memory Read in in DataSegment::IsValidRange(), which lead to segmentation fault. | [email protected] | 5.5 | 0.21% | 2023-10-23 | 2024-11-21 |
| CVE-2023-46332 | WebAssembly wabt 1.0.33 contains an Out-of-Bound Memory Write in DataSegment::Drop(), which lead to segmentation fault. | [email protected] | 5.5 | 0.27% | 2023-10-23 | 2024-11-21 |
| CVE-2020-18382 | Heap-buffer-overflow in /src/wasm/wasm-binary.cpp in wasm::WasmBinaryBuilder::visitBlock(wasm::Block*) in Binaryen 1.38.26. A crafted wasm input can cause a segmentation fault, leading to denial-of-service, as demonstrated by wasm-opt. | [email protected] | 6.5 | 0.53% | 2023-08-22 | 2024-11-21 |
| CVE-2020-18378 | A NULL pointer dereference was discovered in SExpressionWasmBuilder::makeBlock in wasm/wasm-s-parser.c in Binaryen 1.38.26. A crafted wasm input can cause a segmentation fault, leading to denial-of-service, as demonstrated by wasm-as. | [email protected] | 6.5 | 0.53% | 2023-08-22 | 2024-11-21 |
| CVE-2023-31669 | WebAssembly wat2wasm v1.0.32 allows attackers to cause a libc++abi.dylib crash by putting '@' before a quote ("). | [email protected] | 5.5 | 0.28% | 2023-05-23 | 2025-01-31 |
| CVE-2023-31670 | An issue in wasm2c 1.0.32, wasm2wat 1.0.32, wasm-decompile 1.0.32, and wasm-validate 1.0.32 allows attackers to cause a Denial of Service (DoS) via running a crafted binary. | [email protected] | 7.5 | 0.83% | 2023-05-23 | 2025-01-31 |
| CVE-2023-27119 | WebAssembly v1.0.29 was discovered to contain a segmentation fault via the component wabt::Decompiler::WrapChild. | [email protected] | 5.5 | 0.28% | 2023-03-10 | 2025-02-28 |
| CVE-2023-27117 | WebAssembly v1.0.29 was discovered to contain a heap overflow via the component component wabt::Node::operator. | [email protected] | 7.8 | 0.32% | 2023-03-10 | 2024-11-21 |
| CVE-2023-27116 | WebAssembly v1.0.29 discovered to contain an abort in CWriter::MangleType. | [email protected] | 5.5 | 0.29% | 2023-03-10 | 2024-11-21 |