PatchSiren

Vinchin CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM Vinchin CVE published 2026-07-09

CVE-2026-60095

CVE-2026-60095 is a stack buffer overflow vulnerability in Vinchin Backup & Recovery through 9.0.0.86562. The vulnerability exists in the ModuleHandShake function of the agentlink_server service, allowing unauthenticated remote attackers to overwrite the saved return address by supplying an oversized _listen_uuid field. This can lead to process crashes or potential control flow hijacks. Users of Vinchin B [truncated]

MEDIUM Vinchin CVE published 2026-07-09

CVE-2026-60094

CVE-2026-60094 is a heap buffer overflow vulnerability in Vinchin Backup & Recovery through 9.0.0.86562. The vulnerability allows unauthenticated remote attackers to cause process crash or memory corruption by sending a malformed TCP packet with an unchecked body_len field to the agentlink_server service. This issue has a significant impact on network-based services and requires immediate attention to pre [truncated]