CVE-2026-36574: A DLL hijacking vulnerability in Wassimulator (GitHub) CactusViewer v2
A DLL hijacking vulnerability in Wassimulator (GitHub) CactusViewer v2.3.0 allows attackers to escalate privileges and execute arbitrary code via a crafted DLL.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A DLL hijacking vulnerability in CactusViewer v2.3.0 (by Wassimulator on GitHub) allows an attacker to plant a crafted DLL file that the application loads in place of a legitimate one. The attack is local, requires no prior authentication, but does require the victim to launch the application. Successful exploitation gives the attacker full code execution with escalated privileges, as well as complete access to read, modify, and disrupt data on the affected host. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-36574 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built ones that bundle CactusViewer v2.3.0. Any image in a connected registry or CI pipeline that includes the affected binary is flagged automatically.
AvailableHarborGuard is capable of scoring this finding at CVSS 7.8 HIGH and weighting it against each environment's compliance policy to determine urgency. Triage routing is available to direct the alert to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailableNo fix version has been published for CVE-2026-36574; HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers with auto-remediation enabled, the rebuilt image, a regression test run, and a PR opened against affected workloads will be triggered without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network exposure is required.
- AuthenticationNot required
No account or credentials are needed before planting the crafted DLL.
- Victim interactionRequired
The victim must launch CactusViewer, making this a social-engineering or file-delivery scenario where the attacker pre-positions the malicious DLL.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special memory layout are required.
Blast Radius
- Executes arbitrary code in the context of the user who launches CactusViewer, with escalated privileges if the application runs with elevated rights.
- Reads any files or secrets accessible to the hijacked process, including stored credentials and local application data.
- Modifies or deletes files and data on the host that the process has write access to.
- Crashes or disrupts the host application and any dependent services running under the same privilege context.
How HarborGuard Handles This
Available on HarborGuard: continuous monitoring of the CVE-2026-36574 advisory with re-evaluation on every ingest cycle so a patched-image rebuild becomes available the moment Wassimulator publishes a fix. While no upstream patch exists, compensating controls are available to reduce exposure: network-policy isolation to limit what a compromised container can reach, egress filtering to prevent outbound callbacks from a hijacked process, and feature-flag or entrypoint gating to prevent CactusViewer from running in production container images where it is not strictly needed. For customers with auto-remediation enabled, the full rebuild-and-PR flow will trigger automatically once a fix version is published, with median time from CVE publication to merged patch PR for high-severity issues around 90 minutes in those environments.
- n/a / n/an/a
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H