Aggregates CVE and security vulnerability intelligence across all zlmediakit-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Disclosed issues often relate to vendor risk cross-site scripting, vendor risk path handling, and vendor risk buffer overflow; exposure may include vendor impact memory corruption in vendor surface production workloads contexts.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-35203 | ZLMediaKit is a streaming media service framework. the VP9 RTP payload parser in ext-codec/VP9Rtp.cpp reads multiple fields from the RTP payload based on flag bits in the first byte, without verifying that sufficient data exists in the buffer. A crafted VP9 RTP packet with a 1-byte payload (0xFF, all flags set) causes the parser to read past the end of the allocated buffer, resulting in a heap-buffer-overflow. This vulnerability is fixed with commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d. | [email protected] | 7.5 | 0.05% | 2026-04-06 | 2026-04-16 |
| CVE-2023-39067 | Cross Site Scripting vulnerability in ZLMediaKiet v.4.0 and v.5.0 allows an attacker to execute arbitrary code via a crafted script to the URL. | [email protected] | 6.1 | 0.13% | 2023-09-11 | 2024-11-21 |
| CVE-2023-31861 | ZLMediaKit 4.0 is vulnerable to Directory Traversal. | [email protected] | 7.5 | 1.25% | 2023-05-25 | 2025-01-16 |
| CVE-2022-37237 | An attacker can send malicious RTMP requests to make the ZLMediaKit server crash remotely. Affected version is below commit 7d8b212a3c3368bc2f6507cb74664fc419eb9327. | [email protected] | 7.5 | 0.27% | 2022-08-30 | 2024-11-21 |