2019 Security Vulnerability Report
CVE Statistics for 2019

There were 16228 security vulnerabilities (CVEs) published in 2019. In 2018 there were 13182.

The average severity was 7.3 out of 10, which was about the same as in 2018.

Products & Vendors with the most security vulnerabilities published in 2019 Vulnerabilities may exist in multiple products or vendors

By Product

Red Hat Enterprise Linux (RHEL)

293 vulnerabilities in 2019

#18

Red Hat Enterprise Linux Server

285 vulnerabilities in 2019

#19

Red Hat Enterprise Linux Workstation

275 vulnerabilities in 2019

By Vendor

By Weakness

#1

XSS

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

1879

11.6%

#2

Memory Corruption

The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.

1072

6.6%

#3

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

857

5.3%

#4

Out-of-bounds Read

The software reads data past the end, or before the beginning, of the intended buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. A crash can occur when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string. The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results.

844

5.2%

#5

Information Disclosure

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

573

3.5%

#6

Buffer Overflow

The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

542

3.3%

#7

Dangling pointer

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

504

3.1%

#8

SQL Injection

The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

445

2.7%

#9

Session Riding

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.

419

2.6%

#10

Directory traversal

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

396

2.4%

#11

Shell injection

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

331

2.0%

#12

NULL Pointer Dereference

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions.

219

1.3%

#13

authentification

When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

219

1.3%

#14

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. When a resource is given a permissions setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution or sensitive user data.

182

1.1%

#15

Unrestricted File Upload

The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

182

1.1%

#16

AuthZ

The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

175

1.1%

#17

Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

154

0.9%

#18

Code Injection

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

142

0.9%

#19

Integer Overflow or Wraparound

The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. An integer overflow or wraparound occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may wrap to become a very small or negative number. While this may be intended behavior in circumstances that rely on wrapping, it can have security consequences if the wrap is unexpected. This is especially the case if the integer overflow can be triggered using user-supplied inputs. This becomes security-critical when the result is used to control looping, make a security decision, or determine the offset or size in behaviors such as memory allocation, copying, concatenation, etc.

141

0.9%

#20

Improper Privilege Management

The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

132

0.8%

#21

Missing Authentication for Critical Function

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

130

0.8%

#22

XXE

The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

124

0.8%

#23

Resource Exhaustion

The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

123

0.8%

#24

Marshaling, Unmarshaling

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

117

0.7%

#25

Memory Leak

The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. This is often triggered by improper handling of malformed data or unexpectedly interrupted sessions. In some languages, developers are responsible for tracking memory allocation and releasing the memory. If there are no more pointers or references to the memory, then it can no longer be tracked and identified for release.

112

0.7%

By Category

Atlassian Jira

21 vulnerabilities in 2019

Fortinet FortiOS

19 vulnerabilities in 2019

ISC BIND

18 vulnerabilities in 2019

Content Management

Joomla

29 vulnerabilities in 2019

WordPress

22 vulnerabilities in 2019

Adobe Experience Manager

19 vulnerabilities in 2019

Database

Oracle MySQL

140 vulnerabilities in 2019

Oracle Database Server

25 vulnerabilities in 2019

SQLite

18 vulnerabilities in 2019

Desktop Software

Apple iTunes

93 vulnerabilities in 2019

Microsoft Office

58 vulnerabilities in 2019

Mozilla Thunderbird

58 vulnerabilities in 2019

Development Tools

Jenkins

21 vulnerabilities in 2019

Microsoft Visual Studio

4 vulnerabilities in 2019

Microsoft Visual Studio Code

1 vulnerability in 2019

DevOps

GitLab

164 vulnerabilities in 2019

Kubernetes

13 vulnerabilities in 2019

Docker

8 vulnerabilities in 2019

Email

Microsoft Exchange Server

12 vulnerabilities in 2019

Exim

4 vulnerabilities in 2019

Front End Libraries

AngularJS

1 vulnerability in 2019

jQuery

1 vulnerability in 2019

Java Application Servers

Oracle Weblogic Server

40 vulnerabilities in 2019

IBM WebSphere Application Server

18 vulnerabilities in 2019

Adobe ColdFusion

10 vulnerabilities in 2019

Java Libraries

FasterXML Jackson Databind

21 vulnerabilities in 2019

Libraries

Microsoft ChakraCore

71 vulnerabilities in 2019

OpenSSL

7 vulnerabilities in 2019

Google Tensorflow

7 vulnerabilities in 2019

Operating Systems

Debian Linux

1000 vulnerabilities in 2019

Canonical Ubuntu Linux

669 vulnerabilities in 2019

Google Android

491 vulnerabilities in 2019

Runtime Environments

PHP

30 vulnerabilities in 2019

Oracle GraalVM

16 vulnerabilities in 2019

Python

15 vulnerabilities in 2019

Server Software

Microsoft Sharepoint Server

33 vulnerabilities in 2019

Microsoft Sharepoint Enterprise Server

32 vulnerabilities in 2019

OpenBSD OpenSSH

5 vulnerabilities in 2019

Virtualization

Oracle VM VirtualBox

64 vulnerabilities in 2019

QEMU

15 vulnerabilities in 2019

Web Application Framework

Django Project Django

10 vulnerabilities in 2019

Microsoft ASP.NET Core

6 vulnerabilities in 2019

Web Applications

Apple iCloud

93 vulnerabilities in 2019

Web Browsers

Google Chrome

300 vulnerabilities in 2019

Apple Safari

166 vulnerabilities in 2019

Mozilla Firefox

108 vulnerabilities in 2019

Web Servers

Apache HTTP Server

14 vulnerabilities in 2019

2019 Known Exploited Vulnerabilities

These vulnerabilities may be considered some of the most dangerous vulnerabilities of 2019, because they are both known to have been exploited and have a high severity score. In fact one vulnerability scored the highest possible CVSS base score, of 10.

10.0

Mozilla Firefox and Thunderbird Sandbox Escape Vulnerability
CVE-2019-11708 vulnerability in Firefox and Thunderbird, disclosed on July 23, 2019

9.9

MongoDB mongo-express Remote Code Execution Vulnerability
CVE-2019-10758 vulnerability in mongo-express, disclosed on December 24, 2019

9.9

Jenkins Matrix Project Plugin Remote Code Execution Vulnerability
CVE-2019-1003030 vulnerability in Matrix Project Plugin, disclosed on March 8, 2019

9.9

Jenkins Script Security Plugin Sandbox Bypass Vulnerability
CVE-2019-1003029 vulnerability in Script Security Plugin, disclosed on March 8, 2019

9.8

Remote code execution via Widget Connector macro Vulnerability
CVE-2019-3396 vulnerability in Atlassian Confluence Server, disclosed on March 25, 2019

9.8

Webmin Command Injection Vulnerability
CVE-2019-15107 vulnerability in Webmin, disclosed on August 16, 2019

9.8

May 2019:
CVE-2019-0708 vulnerability in Remote Desktop Services, disclosed on May 16, 2019

9.8

Citrix Application Delivery Controller and Citrix Gateway Vulnerability
CVE-2019-19781 vulnerability in Application Delivery Controller (ADC) and Gateway, disclosed on December 27, 2019

9.8

Synacor Zimbra Collaboration Suite Improper Restriction of XML External Entity Reference
CVE-2019-9670 vulnerability in Zimbra Collaboration Suite, disclosed on May 29, 2019

9.8

Kibana Arbitrary Code Execution
CVE-2019-7609 vulnerability in Kibana, disclosed on March 25, 2019

9.8

Mar 2019:
CVE-2019-0604 vulnerability in SharePoint, disclosed on March 5, 2019

9.8

vBulletin PHP Module Remote Code Execution Vulnerability
CVE-2019-16759 vulnerability in vBulletin, disclosed on September 24, 2019

9.8

Nostromo nhttpd Directory Traversal Vulnerability
CVE-2019-16278 vulnerability in nhttpd, disclosed on October 14, 2019

9.8

Atlassian Crowd and Crowd Data Center Remote Code Execution Vulnerability
CVE-2019-11580 vulnerability in Crowd and Crowd Data Center, disclosed on June 3, 2019

9.8

D-Link Multiple Routers Command Injection Vulnerability
CVE-2019-16920 vulnerability in Multiple Routers, disclosed on September 27, 2019

9.8

Sonatype Nexus Repository Manager Incorrect Access Control Vulnerability
CVE-2019-7238 vulnerability in Nexus Repository Manager, disclosed on March 21, 2019

9.8

Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability
CVE-2019-11581 vulnerability in Jira Server and Data Center, disclosed on August 9, 2019

9.8

Crestron Multiple Products Command Injection Vulnerability
CVE-2019-3929 vulnerability in Multiple Products, disclosed on April 30, 2019

9.8

QNAP Photo Station Improper Access Control Vulnerability
CVE-2019-7192 vulnerability in Photo Station, disclosed on December 5, 2019

9.8

Nice Linear eMerge E3-Series OS Command Injection Vulnerability
CVE-2019-7256 vulnerability in Linear eMerge E3-Series, disclosed on July 2, 2019

9.8

QNAP Photo Station Path Traversal Vulnerability
CVE-2019-7195 vulnerability in Photo Station, disclosed on December 5, 2019

9.8

QNAP Photo Station Path Traversal Vulnerability
CVE-2019-7194 vulnerability in Photo Station, disclosed on December 5, 2019

9.8

Kentico Xperience Deserialization of Untrusted Data Vulnerability
CVE-2019-10068 vulnerability in Xperience, disclosed on March 26, 2019

9.8

D-Link DNS-320 Remote Code Execution Vulnerability
CVE-2019-16057 vulnerability in DNS-320 Storage Device, disclosed on September 16, 2019

9.8

Zyxel P660HN-T1A Routers Command Injection Vulnerability
CVE-2017-18368 vulnerability in P660HN-T1A Routers, disclosed on May 2, 2019

9.8

Progress Telerik UI for ASP.NET deserialization bug
CVE-2019-18935 vulnerability in ASP.NET AJAX, disclosed on December 11, 2019

9.8

D-Link DIR-859 Router Command Execution Vulnerability
CVE-2019-17621 vulnerability in DIR-859 Router, disclosed on December 30, 2019

9.8

VMware ESXi/Horizon DaaS Appliances Heap-Overwrite Vulnerability
CVE-2019-5544 vulnerability in ESXi, Horizon DaaS Appliances, disclosed on December 6, 2019

9.8

Citrix SD-WAN and NetScaler SQL Injection Vulnerability
CVE-2019-12989 vulnerability in SD-WAN and NetScaler, disclosed on July 16, 2019

9.8

LG N1A1 NAS Remote Command Execution Vulnerability
CVE-2018-14839 vulnerability in N1A1 NAS, disclosed on May 14, 2019

9.8

Exim Out-of-bounds Write Vulnerability
CVE-2019-16928 vulnerability in Exim Internet Mailer, disclosed on September 27, 2019

9.8

Kaseya VSA SQL Injection Vulnerability
CVE-2017-18362 vulnerability in Virtual System/Server Administrator (VSA), disclosed on February 5, 2019

9.8

Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9874 vulnerability in CMS and Experience Platform (XP), disclosed on May 31, 2019

9.8

SIMalliance Toolbox (S@T) Browser Command and Control Vulnerability
CVE-2019-16256 vulnerability in SIMalliance Toolbox (S@T) Browser, disclosed on September 12, 2019

9.8

Ubiquiti AirOS Command Injection Vulnerability
CVE-2010-5330 vulnerability in AirOS, disclosed on June 11, 2019

9.8

Citrix Workspace (for Windows) Prior to 1904 Improper Access Control
CVE-2019-11634 vulnerability in Workspace (for Windows), disclosed on May 22, 2019

9.8

Schneider Electric U.motion Builder SQL Injection Vulnerability
CVE-2018-7841 vulnerability in U.motion Builder, disclosed on May 22, 2019

9.8

WhatsApp VOIP Stack Buffer Overflow Vulnerability
CVE-2019-3568 vulnerability in WhatsApp, disclosed on May 14, 2019

9.8

Kaseya VSA Remote Code Execution Vulnerability
CVE-2018-20753 vulnerability in Virtual System/Server Administrator (VSA), disclosed on February 5, 2019

9.8

SAP Commerce Cloud Deserialization of Untrusted Data Vulnerability
CVE-2019-0344 vulnerability in Commerce Cloud, disclosed on August 14, 2019

9.8

Sangoma FreePBX Improper Authentication Vulnerability
CVE-2019-19006 vulnerability in FreePBX, disclosed on November 21, 2019

9.8

QNAP QTS Improper Input Validation Vulnerability
CVE-2019-7193 vulnerability in QTS, disclosed on December 5, 2019

9.1

Fortinet FortiOS SSL VPN credential exposure vulnerability
CVE-2018-13379 vulnerability in FortiOS, disclosed on June 4, 2019

9.1

Fortinet FortiOS and FortiProxy Improper Authorization
CVE-2018-13382 vulnerability in FortiOS and FortiProxy, disclosed on June 4, 2019

8.8

ThinkPHP Remote Code Execution Vulnerability
CVE-2019-9082 vulnerability in ThinkPHP, disclosed on February 24, 2019

8.8

Atlassian Confluence Path Traversal Vulnerability
CVE-2019-3398 vulnerability in Confluence, disclosed on April 18, 2019

8.8

Google Chrome Use-After-Free Vulnerability
CVE-2019-13720 vulnerability in Chrome, disclosed on November 25, 2019

8.8

Nagios XI Remote Code Execution Vulnerability
CVE-2019-15949 vulnerability in Nagios XI, disclosed on September 5, 2019

8.8

Mozilla Firefox and Thunderbird Type Confusion Vulnerability
CVE-2019-11707 vulnerability in Firefox and Thunderbird, disclosed on July 23, 2019

8.8

Citrix SD-WAN and NetScaler Command Injection Vulnerability
CVE-2019-12991 vulnerability in SD-WAN and NetScaler, disclosed on July 16, 2019

8.8

Jan 2019:
CVE-2019-0541 vulnerability in MSHTML engine, disclosed on January 8, 2019

8.8

Trend Micro Antivirus 0day Traversal Vulnerability
CVE-2019-18187 vulnerability in Trend Micro OfficeScan, disclosed on October 28, 2019

8.8

Oracle Solaris Privilege Escalation Vulnerability
CVE-2019-3010 vulnerability in Solaris, disclosed on October 16, 2019

8.8

May 2019:
CVE-2019-0903 vulnerability in Graphics Device Interface (GDI), disclosed on May 16, 2019

8.8

Sep 2019:
CVE-2019-1297 vulnerability in Excel, disclosed on September 11, 2019

8.8

Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 vulnerability in CMS and Experience Platform (XP), disclosed on May 31, 2019

8.8

Apple Multiple Products Type Confusion Vulnerability
CVE-2019-8506 vulnerability in Multiple Products, disclosed on December 18, 2019

8.8

Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability
CVE-2018-4063 vulnerability in AirLink ALEOS, disclosed on May 6, 2019

8.7

PHP FastCGI Process Manager (FPM) Buffer Overflow Vulnerability
CVE-2019-11043 vulnerability in FastCGI Process Manager (FPM), disclosed on October 28, 2019

8.1

Drupal Core Remote Code Execution Vulnerability
CVE-2019-6340 vulnerability in Core, disclosed on February 21, 2019

8.1

Palo Alto Networks PAN-OS Remote Code Execution Vulnerability
CVE-2019-1579 vulnerability in PAN-OS, disclosed on July 19, 2019

7.8

Adobe Flash Player Use-After-Free Vulnerability
CVE-2018-15982 vulnerability in Flash Player, disclosed on January 18, 2019

7.8

WinRAR Absolute Path Traversal Vulnerability
CVE-2018-20250 vulnerability in WinRAR, disclosed on February 5, 2019

7.8

Dec 2019:
CVE-2019-1458 vulnerability in Win32k, disclosed on December 10, 2019

7.8

Apr 2019:
CVE-2019-0803 vulnerability in Win32k, disclosed on April 9, 2019

7.8

Apache HTTP Server scoreboard vulnerability
CVE-2019-0211 vulnerability in HTTP Server, disclosed on April 8, 2019

7.8

Apr 2019:
CVE-2019-0841 vulnerability in Windows, disclosed on April 9, 2019

7.8

Linux Kernel Improper Privilege Management Vulnerability
CVE-2019-13272 vulnerability in Kernel, disclosed on July 17, 2019

7.8

Apr 2019:
CVE-2019-0808 vulnerability in Windows, disclosed on April 9, 2019

7.8

Nov 2019:
CVE-2019-1405 vulnerability in Windows, disclosed on November 12, 2019

7.8

Android "AbstractEmu" Root Access Vulnerabilities
CVE-2019-2215 vulnerability in Android OS, disclosed on October 11, 2019

7.8

Docker Desktop Community Edition Privilege Escalation Vulnerability
CVE-2019-15752 vulnerability in Desktop Community Edition, disclosed on August 28, 2019

7.8

Oct 2019:
CVE-2019-1322 vulnerability in Windows, disclosed on October 10, 2019

7.8

Jul 2019:
CVE-2019-1132 vulnerability in Win32k, disclosed on July 15, 2019

7.8

Jun 2019: Task Scheduler Elevation of Privilege Vulnerability
CVE-2019-1069 vulnerability in Task Scheduler, disclosed on June 12, 2019

7.8

Sep 2019:
CVE-2019-1253 vulnerability in Windows, disclosed on September 11, 2019

7.8

Microsoft Windows Privilege Escalation Vulnerability
CVE-2019-0543 vulnerability in Windows, disclosed on January 8, 2019

7.8

Apple Multiple Products Use-After-Free Vulnerability
CVE-2019-8605 vulnerability in Multiple Products, disclosed on December 18, 2019

7.8

Jun 2019: Windows Elevation of Privilege Vulnerability
CVE-2019-1064 vulnerability in Windows, disclosed on June 12, 2019

7.8

Apr 2019:
CVE-2019-0859 vulnerability in Win32k, disclosed on April 9, 2019

7.8

Sep 2019:
CVE-2019-1215 vulnerability in Windows, disclosed on September 11, 2019

7.8

Oct 2019:
CVE-2019-1315 vulnerability in Windows, disclosed on October 10, 2019

7.8

Nov 2019:
CVE-2019-1388 vulnerability in Windows, disclosed on November 12, 2019

7.8

May 2019:
CVE-2019-0863 vulnerability in Windows, disclosed on May 16, 2019

7.8

Apr 2019:
CVE-2019-0797 vulnerability in Win32k, disclosed on April 9, 2019

7.8

Apple iOS Memory Corruption Vulnerability
CVE-2019-7287 vulnerability in iOS, disclosed on December 18, 2019

7.8

Jul 2019:
CVE-2019-0880 vulnerability in Windows, disclosed on July 15, 2019

7.8

Sep 2019:
CVE-2019-1214 vulnerability in Windows, disclosed on September 11, 2019

7.8

Jul 2019:
CVE-2019-1129 vulnerability in Windows, disclosed on July 15, 2019

7.8

Apple Multiple Products Memory Corruption Vulnerability
CVE-2019-7286 vulnerability in Multiple Products, disclosed on December 18, 2019

7.8

Jul 2019:
CVE-2019-1130 vulnerability in Windows, disclosed on July 15, 2019

7.8

Apple macOS Use-After-Free Vulnerability
CVE-2019-8526 vulnerability in macOS, disclosed on December 18, 2019

7.8

Nov 2019:
CVE-2019-1385 vulnerability in Windows, disclosed on November 12, 2019

7.8

Apple Multiple Products Memory Corruption Vulnerability
CVE-2018-4344 vulnerability in Multiple Products, disclosed on April 3, 2019

7.5

Apache Solr 5.0.0-8.3.1 Remote Code Execution Vulnerability
CVE-2019-17558 vulnerability in Solr, disclosed on December 30, 2019

7.5

SonicWall SMA100 9.0.0.3 and Earlier SQL Injection
CVE-2019-7481 vulnerability in SMA100, disclosed on December 17, 2019

7.5

Rails Ruby on Rails Path Traversal Vulnerability
CVE-2019-5418 vulnerability in Ruby on Rails, disclosed on March 27, 2019

7.5

TVT NVMS-1000 Directory Traversal
CVE-2019-20085 vulnerability in NVMS-1000, disclosed on December 30, 2019

7.5

Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability
CVE-2019-9621 vulnerability in Zimbra Collaboration Suite (ZCS), disclosed on April 30, 2019

7.5

Apr 2019:
CVE-2019-0752 vulnerability in Internet Explorer, disclosed on April 9, 2019

Report Last Updated: February 14, 2026

Error

Lucee [5.4.3.2] - Error (Expression)

Message

request [/stats/report.cfm (/web/stack.watch/www/web/stats/report.cfm)] has run into a timeout (timeout: [30] seconds) and has been stopped. The thread started [30340] ms ago.

Java Stacktrace

lucee.runtime.exp.RequestTimeoutException: request [/stats/report.cfm (/web/stack.watch/www/web/stats/report.cfm)] has run into a timeout (timeout: [30] seconds) and has been stopped. The thread started [30340] ms ago.

at java.base/java.lang.Thread.getStackTrace(Thread.java:1602)

at lucee.runtime.CFMLFactoryImpl.createRequestTimeoutException(CFMLFactoryImpl.java:723)

at lucee.runtime.util.PageContextUtil.checkRequestTimeout(PageContextUtil.java:247)

at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:946)

at lucee.runtime.PageContextImpl.doInclude(PageContextImpl.java:929)

at lucee.runtime.PageContextImpl.handlePageException(PageContextImpl.java:2113)

at lucee.runtime.PageContextImpl.handlePageException(PageContextImpl.java:2029)

at lucee.runtime.listener.ModernAppListener.onError(ModernAppListener.java:439)

at lucee.runtime.listener.MixedAppListener.onError(MixedAppListener.java:138)

at lucee.runtime.PageContextImpl.execute(PageContextImpl.java:2521)

at lucee.runtime.PageContextImpl._execute(PageContextImpl.java:2478)

at lucee.runtime.PageContextImpl.executeCFML(PageContextImpl.java:2449)

at lucee.runtime.engine.Request.exe(Request.java:45)

at lucee.runtime.engine.CFMLEngineImpl._service(CFMLEngineImpl.java:1216)

at lucee.runtime.engine.CFMLEngineImpl.serviceCFML(CFMLEngineImpl.java:1162)

at lucee.loader.engine.CFMLEngineWrapper.serviceCFML(CFMLEngineWrapper.java:97)

at lucee.loader.servlet.CFMLServlet.service(CFMLServlet.java:51)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:590)

at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)

at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)

at org.cfmlprojects.regexpathinfofilter.RegexPathInfoFilter.doFilter(RegexPathInfoFilter.java:47)

at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67)

at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)

at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)

at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)

at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)

at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)

at runwar.undertow.SSLClientCertHeaderHandler.handleRequest(SSLClientCertHeaderHandler.java:144)

at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)

at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:257)

at io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:182)

at io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(RequestDispatcherImpl.java:188)

at io.undertow.servlet.spec.RequestDispatcherImpl.forwardImplSetup(RequestDispatcherImpl.java:136)

at io.undertow.servlet.spec.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:99)

at org.tuckey.web.filters.urlrewrite.NormalRewrittenUrl.doRewrite(NormalRewrittenUrl.java:215)

at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:171)

at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145)

at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92)

at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:405)