Cyber Resilience

CVE-2025-15270

High

Published: 31 December 2025

Published
31 December 2025
Modified
07 January 2026
KEV Added
Patch
CVSS Score v3 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0058 43.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-15270 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Fontforge Fontforge. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 43.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

FontForge SFD File Parsing Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must…

more

visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28563.

CWE(s)

Related Threats

CVEs Like This One

CVE-2025-15271Same product: Fontforge Fontforge
CVE-2025-15273Same product: Fontforge Fontforge
CVE-2025-15272Same product: Fontforge Fontforge
CVE-2025-15274Same product: Fontforge Fontforge
CVE-2025-15275Same product: Fontforge Fontforge
CVE-2025-15269Same product: Fontforge Fontforge
CVE-2025-15280Same product: Fontforge Fontforge
CVE-2023-52987Shared CWE-129
CVE-2026-33281Shared CWE-129
CVE-2026-23447Shared CWE-129

Affected Assets

fontforge
fontforge
2025-11-17

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References