swi-prolog CVE Vulnerabilities & Metrics

Focus on swi-prolog vulnerabilities and metrics.

Last updated: 16 Jan 2026, 23:25 UTC

About swi-prolog Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with swi-prolog. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total swi-prolog CVEs: 2
Earliest CVE date: 19 Aug 2011, 17:55 UTC
Latest CVE date: 20 Nov 2025, 17:15 UTC

Latest CVE reference: CVE-2025-63848

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): -100.0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): -100.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical swi-prolog CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 5.38

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	1
4.0-6.9	2
7.0-8.9	2
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS swi-prolog CVEs

These are the five CVEs with the highest CVSS scores for swi-prolog, sorted by severity first and recency.

CVE-2012-6090 swi-prolog Published on 04 Jan 2013, 11:52 UTC (CVSS: 7.5)
Multiple stack-based buffer overflows in the expand function in os/pl-glob.c in SWI-Prolog before 6.2.5 and 6.3.x before 6.3.7 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted filename.
CVE-2012-6089 swi-prolog Published on 04 Jan 2013, 11:52 UTC (CVSS: 7.5)
Multiple stack-based buffer overflows in the canoniseFileName function in os/pl-os.c in SWI-Prolog before 6.2.5 and 6.3.x before 6.3.7 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted filename.
CVE-2017-17524 swi-prolog Published on 14 Dec 2017, 16:29 UTC (CVSS: 6.8)
library/www_browser.pl in SWI-Prolog 7.2.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
CVE-2011-2896 swi-prolog Published on 19 Aug 2011, 17:55 UTC (CVSS: 5.1)
The LZW decompressor in the LWZReadByte function in giftoppm.c in the David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4 and earlier, and other products, does not properly...
CVE-2025-63848 swi-prolog Published on 20 Nov 2025, 17:15 UTC (CVSS: 0)
Stored cross site scripting (xss) vulnerability in SWISH prolog thru 2.2.0 allowing attackers to execute arbitrary code via crafted web IDE notebook.

All CVEs for swi-prolog

CVE-2025-63848 swi-prolog vulnerability CVSS: 0 20 Nov 2025, 17:15 UTC

Stored cross site scripting (xss) vulnerability in SWISH prolog thru 2.2.0 allowing attackers to execute arbitrary code via crafted web IDE notebook.

CVE-2017-17524 swi-prolog vulnerability CVSS: 6.8 14 Dec 2017, 16:29 UTC

library/www_browser.pl in SWI-Prolog 7.2.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.

CVE-2012-6090 swi-prolog vulnerability CVSS: 7.5 04 Jan 2013, 11:52 UTC

Multiple stack-based buffer overflows in the expand function in os/pl-glob.c in SWI-Prolog before 6.2.5 and 6.3.x before 6.3.7 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted filename.

CVE-2012-6089 swi-prolog vulnerability CVSS: 7.5 04 Jan 2013, 11:52 UTC

Multiple stack-based buffer overflows in the canoniseFileName function in os/pl-os.c in SWI-Prolog before 6.2.5 and 6.3.x before 6.3.7 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted filename.

CVE-2011-2896 swi-prolog vulnerability CVSS: 5.1 19 Aug 2011, 17:55 UTC

The LZW decompressor in the LWZReadByte function in giftoppm.c in the David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4 and earlier, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows remote attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2895.