Regarding CVE-2026-25926 fix #17524
Description
if (doesPathExist(path.c_str()))
{
wchar_t cmdStr[1024] = {};
if (getNodeType(selectedNode) == browserNodeType_file)
wsprintf(cmdStr, L"explorer /select,\"%s\"", path.c_str());
else
wsprintf(cmdStr, L"explorer \"%s\"", path.c_str());
Command cmd(cmdStr);
Unless it was rearchitected entirely (to not use cmdStr fixed buffer), this code still has a potential buffer overflow by doing wsprintf with path longer than 1024 chars — wsprintf has no buffer overflow checks.
On a side note, the explorer.exe path should not be hardcoded anyway and shouldn't be launched like that — you should use SHOpenFolderAndSelectItems, minimal example:
HRESULT SelectItemInExplorer(const std::wstring& filePath)
{
PIDLIST_ABSOLUTE pidlItem = nullptr;
HRESULT hr = S_OK;
hr = SHParseDisplayName(filePath.c_str(), nullptr, &pidlItem, 0, nullptr);
if (SUCCEEDED(hr)) {
hr = SHOpenFolderAndSelectItems(pidlItem, 0, nullptr, 0);
CoTaskMemFree(pidlItem);
}
return hr;
}