Ok, I feel like I need to say something, this kind of bad practice has to stop.
Let me introduce myself, I am yamashi the creator of Cyber Engine Tweaks.
I wasn't planing on saying anything but since we, the modders, are getting blamed for this, I can't just stand on the sidelines and take it.
What CDPR posted above is WRONG, it isn't caused by an external DLL, the vulnerability is caused by a buffer overflow in a function they use to load strings, this function is used more than 100 times in the game, it is used to load the save games, the archive assets and other parts that we haven't investigated. This is 100% CDPR's fault, it isn't anybody else's fault. This is caused by a lack of proper unit testing.
What happened to owning up to your mistakes CDPR? Not only did PixelRick communicate this a week ago and you didn't do anything (this should have been hotfixed a few hours after you knew about it), but then you go public lying about the nature of the vulnerability so that modders take the fall for this? What we do, we do for free, we aren't your scapegoat, and this is definitely on you. The fact that we redirect the buffer overflow to xinput because it doesn't have ASLR does not mean that it's xinput's fault, we shouldn't be able to access xinput in the first place.
Just so you know everyone this isn't just a PC issue, every platform is affected.
It has been exploited to gain access to Geforce NOW already, maybe you should explain to NVIDIA how it is not your fault CDPR, I am not sure that's going to work once they audit the exe.