The version of GIMP installed on the remote macOS host is prior to 3.2.0. It is, therefore, affected by multiple vulnerabilities:

  - An integer overflow condition exists in PSD file parsing due to improper validation of user-supplied data. An     unauthenticated, local attacker can exploit this, via a specially crafted PSD file, to execute arbitrary code.
    (CVE-2026-4150)

  - An integer overflow condition exists in ANI file parsing due to improper validation of user-supplied data. An     unauthenticated, local attacker can exploit this, via a specially crafted ANI file, to execute arbitrary code.
    (CVE-2026-4151)

  - A heap-based buffer overflow condition exists in JP2 file parsing due to improper validation of the length of     user-supplied data. An unauthenticated, local attacker can exploit this, via a specially crafted JP2 file, to     execute arbitrary code. (CVE-2026-4152)

  - A heap-based buffer overflow condition exists in PSP file parsing due to improper validation of the length of     user-supplied data. An unauthenticated, local attacker can exploit this, via a specially crafted PSP file, to     execute arbitrary code. (CVE-2026-4153)

  - An integer overflow condition exists in XPM file parsing due to improper validation of user-supplied data. An     unauthenticated, local attacker can exploit this, via a specially crafted XPM file, to execute arbitrary code.
    (CVE-2026-4154)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

GIMP < 3.2.0 Multiple Vulnerabilities (macOS)

high Nessus Plugin ID 303973

Version 1.3

Version 1.2

Version 1.1

Version 1.3 Apr 13, 2026, 9:49 AM CVSSv3 score source (set to "CVE-2026-4154") Plugin Feed: 202604130949
Version 1.2 Mar 30, 2026, 12:37 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:U/RL:OF/RC:C") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:U/RL:O/RC:C") Exploit attributes ("Exploit available" set to "False") Exploit attributes ("Exploitability ease" set to "No known exploits are available") Plugin Feed: 202603301237
Version 1.1 Mar 28, 2026, 12:01 PM New Plugin Feed: 202603281201