CVE-2005-3302

HIGH

Blender - Remote Code Execution via Malicious BVH File Hierarchy Element

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2005-3302. PoCs published by Joxean Koret.

AI-analyzed exploit summary The provided text describes a Python code-execution vulnerability in Blender due to improper sanitization of user input in an 'eval' statement. It references external links to exploit examples but does not contain actual exploit code.

Description

Eval injection vulnerability in bvh_import.py in Blender 2.36 allows attackers to execute arbitrary Python code via a hierarchy element in a .bvh file, which is supplied to an eval function call.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Joxean Koret · textwebappscgi
https://www.exploit-db.com/exploits/27728

The provided text describes a Python code-execution vulnerability in Blender due to improper sanitization of user input in an 'eval' statement. It references external links to exploit examples but does not contain actual exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Blender (version not specified)
No auth needed
Prerequisites: User interaction to load a malicious .bvh file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/19754
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/17663
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2006/dsa-1039
Exploit, Mailing List, Third Party Advisory x_refsource_misc
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330895

Scores

CVSS v3 7.3
EPSS 0.0388
EPSS Percentile 88.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-94
Status published
Products (2)
blender/blender 2.36
debian/debian_linux 3.1
Published Oct 24, 2005
Tracked Since Feb 18, 2026