Cyber Posture

CVE-2019-25555

MediumPublic PoC

Published: 21 March 2026

Published
21 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 4.5th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25555 is a medium-severity Incorrect Calculation of Buffer Size (CWE-131) vulnerability in Pixarra Twistedbrush Pro Studio. Its CVSS base score is 6.2 (Medium).

Operationally, ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents the DoS by validating and rejecting excessively large inputs like the 500,000-character string in the Script Recorder Description field.

SI-9 Information Input Restrictions good match
prevent

Enforces restrictions on input quantity and size at application interfaces to block oversized buffers that crash the Script Recorder component.

SI-11 Error Handling good match
prevent

Ensures graceful error handling for invalid large buffers, preventing application crashes from improper buffer management in the Script Recorder.

NVD Description

TwistedBrush Pro Studio 24.06 contains a denial of service vulnerability in the Script Recorder component that allows local attackers to crash the application by supplying an excessively large buffer. Attackers can paste a malicious string containing 500,000 characters into the…

more

Description field of the Script Recorder dialog to trigger an application crash.

Deeper analysisAI

TwistedBrush Pro Studio 24.06 contains a denial of service vulnerability (CVE-2019-25555) in its Script Recorder component, stemming from improper handling of an excessively large buffer (CWE-131). Local attackers can trigger an application crash by pasting a malicious string of 500,000 characters into the Description field of the Script Recorder dialog. The vulnerability carries a CVSS v3.1 base score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating medium severity with high availability impact but no confidentiality or integrity effects.

The attack requires local access to the system running the affected software, with no privileges or user interaction needed beyond opening the Script Recorder dialog. Attackers can achieve a complete denial of service by causing the application to crash, potentially disrupting user workflows or legitimate operations dependent on TwistedBrush Pro Studio.

Advisories and related resources include a proof-of-concept exploit published on Exploit-DB (exploit ID 46844), a detailed advisory from Vulncheck on the TwistedBrush Pro Studio Script Recorder denial of service, and the vendor's site at pixarra.com. No specific patch or mitigation details are outlined in the available information.

Details

CWE(s)
CWE-131

Affected Products

pixarra
twistedbrush pro studio
24.06

CVEs Like This One

CVE-2026-20049Shared CWE-131
CVE-2025-1861Shared CWE-131
CVE-2026-20911Shared CWE-131
CVE-2026-1949Shared CWE-131
CVE-2025-66216Shared CWE-131
CVE-2024-11425Shared CWE-131
CVE-2024-8361Shared CWE-131
CVE-2026-33984Shared CWE-131
CVE-2026-29645Shared CWE-131
CVE-2026-1188Shared CWE-131

References