[Japanese]

JVNDB-2026-000029

Multiple vulnerabilities in the installer of FinalCode Client

Overview

The installer of FinalCode Client provided by Digital Arts Inc. contains multiple vulnerabilities listed below.
  • Incorrect default permissions (CWE-276) - CVE-2026-23703
  • Uncontrolled search path element (CWE-427) - CVE-2026-25191
Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2026-23703

CVSS v3 Severity
Base Metrics: 7.8(High) [IPA Score]
  • Access Vector : Local
  • Attack Complexity : Low
  • Privileges Required : None
  • User Interaction : Required
  • Scope : Unchanged
  • Confidentiality Impact : High
  • Integrity Impact : High
  • Availability Impact : High
The above CVSS base scores have been assigned for CVE-2026-25191
Affected Products


Digital Arts Inc.
  • FinalCode Ver.5 series versions prior to 5.43R01
  • FinalCode Ver.6 series versions prior to 6.51R01

Impact

  • A non-administrative user may execute arbitrary code with SYSTEM privilege (CVE-2026-23703)
  • If a user is directed to place a malicious DLL file and the installer to the same directory and execute the installer, arbitrary code may be executed with the installer's execution privilege (CVE-2026-25191)
Solution

[Use the latest installer]
The developer released the updated installers version 5.43R01 and 6.51R01 to fix the issues.
Use the latest installer to install the product.
Even when the product is already installed, you should re-install the product to fix the ACL of the installation directory.
Vendor Information

Digital Arts Inc.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2026-23703
  2. CVE-2026-25191
References

  1. JVN : JVN#48498976
  2. JVN : JVNTA#91240916
Revision History

  • [2026/02/26]
      Web page was published

Date Public2026/02/26
Date First Published2026/02/26
Date Last Updated2026/02/26