CVE-2026-3385

low-risk

Published 2026-03-01

A vulnerability was detected in wren-lang wren up to 0.4.0. Affected is the function resolveLocal of the file src/vm/wren_compiler.c. The manipulation results in uncontrolled recursion. Attacking locally is a requirement. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Do I need to act?

0.02% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 3.3/10 Low

LOCAL / LOW complexity

Affected Products (1)

Wren

Affected Vendors

Wren

References (6)

Exploit https://github.com/oneafter/0122/blob/main/i1218/repro

Product https://github.com/wren-lang/wren/

Exploit https://github.com/wren-lang/wren/issues/1218

Permissions Required https://vuldb.com/?ctiid.348271

Third Party Advisory https://vuldb.com/?id.348271

Third Party Advisory https://vuldb.com/?submit.761305

/ 100

low-risk

Severity 13/34 · Low

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal