2019 Security Vulnerability Report
CVE Statistics for 2019
There were 16225 security vulnerabilities (CVEs) published in 2019. In 2018 there were 13177.
The average severity was 7.3 out of 10, which was about the same as in 2018.
The average severity was 7.3 out of 10, which was about the same as in 2018.
Products & Vendors with the most security vulnerabilities published in 2019 Vulnerabilities may exist in multiple products or vendors
By Product
By Vendor
By Weakness
#1
XSS
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
1877
#2
Memory Corruption
The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.
1077
#3
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
857
#4
Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. A crash can occur when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string. The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results.
843
#5
Information Disclosure
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
574
#6
Buffer Overflow
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
541
#7
Dangling pointer
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
504
#8
SQL Injection
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
446
#9
Session Riding
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.
420
#10
Directory traversal
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
396
#11
Shell injection
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
334
#12
authentification
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
219
#13
NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions.
219
#14
Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. When a resource is given a permissions setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution or sensitive user data.
182
#15
Unrestricted File Upload
The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
182
#16
AuthZ
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
175
#17
Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
154
#18
Code Injection
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
141
#19
Integer Overflow or Wraparound
The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. An integer overflow or wraparound occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may wrap to become a very small or negative number. While this may be intended behavior in circumstances that rely on wrapping, it can have security consequences if the wrap is unexpected. This is especially the case if the integer overflow can be triggered using user-supplied inputs. This becomes security-critical when the result is used to control looping, make a security decision, or determine the offset or size in behaviors such as memory allocation, copying, concatenation, etc.
140
#20
Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
130
#21
Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
129
#22
XXE
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
124
#23
Resource Exhaustion
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
123
#24
Marshaling, Unmarshaling
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
117
#25
Memory Leak
The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. This is often triggered by improper handling of malformed data or unexpectedly interrupted sessions. In some languages, developers are responsible for tracking memory allocation and releasing the memory. If there are no more pointers or references to the memory, then it can no longer be tracked and identified for release.
112
By Category
Fortinet FortiOS
19 vulnerabilities in 2019
Apache JSPWiki
11 vulnerabilities in 2019
Fortinet FortiClient
9 vulnerabilities in 2019
Content Management
Joomla
29 vulnerabilities in 2019
WordPress
22 vulnerabilities in 2019
Adobe Experience Manager
19 vulnerabilities in 2019
Database
Oracle MySQL
140 vulnerabilities in 2019
Oracle Database Server
25 vulnerabilities in 2019
SQLite
18 vulnerabilities in 2019
Desktop Software
Apple iTunes
93 vulnerabilities in 2019
Microsoft Office
58 vulnerabilities in 2019
Mozilla Thunderbird
58 vulnerabilities in 2019
Development Tools
Oracle Java Development Kit (JDK)
41 vulnerabilities in 2019
Jenkins
21 vulnerabilities in 2019
Microsoft Visual Studio
4 vulnerabilities in 2019
DevOps
GitLab
164 vulnerabilities in 2019
Kubernetes
13 vulnerabilities in 2019
Docker
8 vulnerabilities in 2019
Microsoft Exchange Server
12 vulnerabilities in 2019
Exim
4 vulnerabilities in 2019
Java Application Servers
Oracle Weblogic Server
40 vulnerabilities in 2019
IBM WebSphere Application Server
18 vulnerabilities in 2019
Adobe ColdFusion
10 vulnerabilities in 2019
Java Libraries
FasterXML Jackson Databind
21 vulnerabilities in 2019
Libraries
Microsoft ChakraCore
71 vulnerabilities in 2019
OpenSSL
7 vulnerabilities in 2019
Google Tensorflow
7 vulnerabilities in 2019
Operating Systems
Debian Linux
1000 vulnerabilities in 2019
Canonical Ubuntu Linux
669 vulnerabilities in 2019
Google Android
491 vulnerabilities in 2019
Runtime Environments
Oracle Java Runtime Environment (JRE)
37 vulnerabilities in 2019
PHP
30 vulnerabilities in 2019
Python
15 vulnerabilities in 2019
Server Software
Microsoft Sharepoint Server
33 vulnerabilities in 2019
Microsoft Sharepoint Enterprise Server
32 vulnerabilities in 2019
OpenBSD OpenSSH
5 vulnerabilities in 2019
Virtualization
Oracle VM VirtualBox
64 vulnerabilities in 2019
QEMU
15 vulnerabilities in 2019
Web Application Framework
Django Project Django
10 vulnerabilities in 2019
Microsoft ASP.NET Core
6 vulnerabilities in 2019
Web Applications
Apple iCloud
93 vulnerabilities in 2019
Web Browsers
Google Chrome
300 vulnerabilities in 2019
Apple Safari
166 vulnerabilities in 2019
Mozilla Firefox
108 vulnerabilities in 2019
Web Servers
Apache HTTP Server
14 vulnerabilities in 2019
2019 Known Exploited Vulnerabilities
These vulnerabilities may be considered some of the most dangerous vulnerabilities of 2019, because they are both known to have been exploited and have a high severity score. In fact 3 vulnerabilities scored the highest possible CVSS base score, of 10.
10.0
Pulse Connect Secure VPN arbitrary file reading vulnerability (COVID-19-CTI list)
CVE-2019-11510 vulnerability in Pulse Connect Secure, disclosed on May 8, 2019
CVE-2019-11510 vulnerability in Pulse Connect Secure, disclosed on May 8, 2019
10.0
Kibana Arbitrary Code Execution
CVE-2019-7609 vulnerability in Kibana, disclosed on March 25, 2019
CVE-2019-7609 vulnerability in Kibana, disclosed on March 25, 2019
10.0
Mozilla Firefox and Thunderbird Sandbox Escape Vulnerability
CVE-2019-11708 vulnerability in Firefox and Thunderbird, disclosed on July 23, 2019
CVE-2019-11708 vulnerability in Firefox and Thunderbird, disclosed on July 23, 2019
9.9
MongoDB mongo-express Remote Code Execution Vulnerability
CVE-2019-10758 vulnerability in mongo-express, disclosed on December 24, 2019
CVE-2019-10758 vulnerability in mongo-express, disclosed on December 24, 2019
9.9
Jenkins Matrix Project Plugin Remote Code Execution Vulnerability
CVE-2019-1003030 vulnerability in Matrix Project Plugin, disclosed on March 8, 2019
CVE-2019-1003030 vulnerability in Matrix Project Plugin, disclosed on March 8, 2019
9.9
Jenkins Script Security Plugin Sandbox Bypass Vulnerability
CVE-2019-1003029 vulnerability in Script Security Plugin, disclosed on March 8, 2019
CVE-2019-1003029 vulnerability in Script Security Plugin, disclosed on March 8, 2019
9.8
Remote code execution via Widget Connector macro Vulnerability
CVE-2019-3396 vulnerability in Atlassian Confluence Server, disclosed on March 25, 2019
CVE-2019-3396 vulnerability in Atlassian Confluence Server, disclosed on March 25, 2019
9.8
Fortinet FortiOS SSL VPN credential exposure vulnerability
CVE-2018-13379 vulnerability in FortiOS, disclosed on June 4, 2019
CVE-2018-13379 vulnerability in FortiOS, disclosed on June 4, 2019
9.8
Oracle WebLogic Server, Injection
CVE-2019-2725 vulnerability in WebLogic Server, disclosed on April 26, 2019
CVE-2019-2725 vulnerability in WebLogic Server, disclosed on April 26, 2019
9.8
Webmin Command Injection Vulnerability
CVE-2019-15107 vulnerability in Webmin, disclosed on August 16, 2019
CVE-2019-15107 vulnerability in Webmin, disclosed on August 16, 2019
9.8
"BlueKeep" Microsoft Windows Remote Desktop Remote Code Execution Vulnerability
CVE-2019-0708 vulnerability in Remote Desktop Services, disclosed on May 16, 2019
CVE-2019-0708 vulnerability in Remote Desktop Services, disclosed on May 16, 2019
9.8
Citrix Application Delivery Controller and Citrix Gateway Vulnerability
CVE-2019-19781 vulnerability in Application Delivery Controller (ADC) and Gateway, disclosed on December 27, 2019
CVE-2019-19781 vulnerability in Application Delivery Controller (ADC) and Gateway, disclosed on December 27, 2019
9.8
Synacor Zimbra Collaboration Suite Improper Restriction of XML External Entity Reference
CVE-2019-9670 vulnerability in Zimbra Collaboration Suite, disclosed on May 29, 2019
CVE-2019-9670 vulnerability in Zimbra Collaboration Suite, disclosed on May 29, 2019
9.8
Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2019-0604 vulnerability in SharePoint, disclosed on March 5, 2019
CVE-2019-0604 vulnerability in SharePoint, disclosed on March 5, 2019
9.8
vBulletin PHP Module Remote Code Execution Vulnerability
CVE-2019-16759 vulnerability in vBulletin, disclosed on September 24, 2019
CVE-2019-16759 vulnerability in vBulletin, disclosed on September 24, 2019
9.8
Atlassian Crowd and Crowd Data Center Remote Code Execution Vulnerability
CVE-2019-11580 vulnerability in Crowd and Crowd Data Center, disclosed on June 3, 2019
CVE-2019-11580 vulnerability in Crowd and Crowd Data Center, disclosed on June 3, 2019
9.8
Nice Linear eMerge E3-Series OS Command Injection Vulnerability
CVE-2019-7256 vulnerability in Linear eMerge E3-Series, disclosed on July 2, 2019
CVE-2019-7256 vulnerability in Linear eMerge E3-Series, disclosed on July 2, 2019
9.8
Nostromo nhttpd Directory Traversal Vulnerability
CVE-2019-16278 vulnerability in nhttpd, disclosed on October 14, 2019
CVE-2019-16278 vulnerability in nhttpd, disclosed on October 14, 2019
9.8
Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability
CVE-2019-11581 vulnerability in Jira Server and Data Center, disclosed on August 9, 2019
CVE-2019-11581 vulnerability in Jira Server and Data Center, disclosed on August 9, 2019
9.8
D-Link Multiple Routers Command Injection Vulnerability
CVE-2019-16920 vulnerability in Multiple Routers, disclosed on September 27, 2019
CVE-2019-16920 vulnerability in Multiple Routers, disclosed on September 27, 2019
9.8
QNAP Photo Station Improper Access Control Vulnerability
CVE-2019-7192 vulnerability in Photo Station, disclosed on December 5, 2019
CVE-2019-7192 vulnerability in Photo Station, disclosed on December 5, 2019
9.8
PHP FastCGI Process Manager (FPM) Buffer Overflow Vulnerability
CVE-2019-11043 vulnerability in FastCGI Process Manager (FPM), disclosed on October 28, 2019
CVE-2019-11043 vulnerability in FastCGI Process Manager (FPM), disclosed on October 28, 2019
9.8
Kentico Xperience Deserialization of Untrusted Data Vulnerability
CVE-2019-10068 vulnerability in Xperience, disclosed on March 26, 2019
CVE-2019-10068 vulnerability in Xperience, disclosed on March 26, 2019
9.8
D-Link DNS-320 Remote Code Execution Vulnerability
CVE-2019-16057 vulnerability in DNS-320 Storage Device, disclosed on September 16, 2019
CVE-2019-16057 vulnerability in DNS-320 Storage Device, disclosed on September 16, 2019
9.8
Crestron Multiple Products Command Injection Vulnerability
CVE-2019-3929 vulnerability in Multiple Products, disclosed on April 30, 2019
CVE-2019-3929 vulnerability in Multiple Products, disclosed on April 30, 2019
9.8
Sonatype Nexus Repository Manager Incorrect Access Control Vulnerability
CVE-2019-7238 vulnerability in Nexus Repository Manager, disclosed on March 21, 2019
CVE-2019-7238 vulnerability in Nexus Repository Manager, disclosed on March 21, 2019
9.8
Exim Mail Transfer Agent (MTA) Improper Input Validation
CVE-2019-10149 vulnerability in Mail Transfer Agent (MTA), disclosed on June 5, 2019
CVE-2019-10149 vulnerability in Mail Transfer Agent (MTA), disclosed on June 5, 2019
9.8
Zyxel P660HN-T1A Routers Command Injection Vulnerability
CVE-2017-18368 vulnerability in P660HN-T1A Routers, disclosed on May 2, 2019
CVE-2017-18368 vulnerability in P660HN-T1A Routers, disclosed on May 2, 2019
9.8
Progress Telerik UI for ASP.NET deserialization bug
CVE-2019-18935 vulnerability in ASP.NET AJAX, disclosed on December 11, 2019
CVE-2019-18935 vulnerability in ASP.NET AJAX, disclosed on December 11, 2019
9.8
Adobe Flash Player Use-After-Free Vulnerability
CVE-2018-15982 vulnerability in Flash Player, disclosed on January 18, 2019
CVE-2018-15982 vulnerability in Flash Player, disclosed on January 18, 2019
9.8
D-Link DIR-859 Router Command Execution Vulnerability
CVE-2019-17621 vulnerability in DIR-859 Router, disclosed on December 30, 2019
CVE-2019-17621 vulnerability in DIR-859 Router, disclosed on December 30, 2019
9.8
QNAP Photo Station Path Traversal Vulnerability
CVE-2019-7194 vulnerability in Photo Station, disclosed on December 5, 2019
CVE-2019-7194 vulnerability in Photo Station, disclosed on December 5, 2019
9.8
LG N1A1 NAS Remote Command Execution Vulnerability
CVE-2018-14839 vulnerability in N1A1 NAS, disclosed on May 14, 2019
CVE-2018-14839 vulnerability in N1A1 NAS, disclosed on May 14, 2019
9.8
QNAP Photo Station Path Traversal Vulnerability
CVE-2019-7195 vulnerability in Photo Station, disclosed on December 5, 2019
CVE-2019-7195 vulnerability in Photo Station, disclosed on December 5, 2019
9.8
Exim Out-of-bounds Write Vulnerability
CVE-2019-16928 vulnerability in Exim Internet Mailer, disclosed on September 27, 2019
CVE-2019-16928 vulnerability in Exim Internet Mailer, disclosed on September 27, 2019
9.8
VMware ESXi/Horizon DaaS Appliances Heap-Overwrite Vulnerability
CVE-2019-5544 vulnerability in ESXi, Horizon DaaS Appliances, disclosed on December 6, 2019
CVE-2019-5544 vulnerability in ESXi, Horizon DaaS Appliances, disclosed on December 6, 2019
9.8
Citrix SD-WAN and NetScaler SQL Injection Vulnerability
CVE-2019-12989 vulnerability in SD-WAN and NetScaler, disclosed on July 16, 2019
CVE-2019-12989 vulnerability in SD-WAN and NetScaler, disclosed on July 16, 2019
9.8
IBM Planning Analytics configuration overwrite vulnerability
CVE-2019-4716 vulnerability in IBM Planning Analytics, disclosed on December 18, 2019
CVE-2019-4716 vulnerability in IBM Planning Analytics, disclosed on December 18, 2019
9.8
Ubiquiti AirOS Command Injection Vulnerability
CVE-2010-5330 vulnerability in AirOS, disclosed on June 11, 2019
CVE-2010-5330 vulnerability in AirOS, disclosed on June 11, 2019
9.8
Citrix Workspace (for Windows) Prior to 1904 Improper Access Control
CVE-2019-11634 vulnerability in Workspace (for Windows), disclosed on May 22, 2019
CVE-2019-11634 vulnerability in Workspace (for Windows), disclosed on May 22, 2019
9.8
QNAP QTS Improper Input Validation Vulnerability
CVE-2019-7193 vulnerability in QTS, disclosed on December 5, 2019
CVE-2019-7193 vulnerability in QTS, disclosed on December 5, 2019
9.8
Kaseya VSA SQL Injection Vulnerability
CVE-2017-18362 vulnerability in Virtual System/Server Administrator (VSA), disclosed on February 5, 2019
CVE-2017-18362 vulnerability in Virtual System/Server Administrator (VSA), disclosed on February 5, 2019
9.8
SIMalliance Toolbox (S@T) Browser Command and Control Vulnerability
CVE-2019-16256 vulnerability in SIMalliance Toolbox (S@T) Browser, disclosed on September 12, 2019
CVE-2019-16256 vulnerability in SIMalliance Toolbox (S@T) Browser, disclosed on September 12, 2019
9.8
Schneider Electric U.motion Builder SQL Injection Vulnerability
CVE-2018-7841 vulnerability in U.motion Builder, disclosed on May 22, 2019
CVE-2018-7841 vulnerability in U.motion Builder, disclosed on May 22, 2019
9.8
Kaseya VSA Remote Code Execution Vulnerability
CVE-2018-20753 vulnerability in Virtual System/Server Administrator (VSA), disclosed on February 5, 2019
CVE-2018-20753 vulnerability in Virtual System/Server Administrator (VSA), disclosed on February 5, 2019
9.8
SAP Commerce Cloud Deserialization of Untrusted Data Vulnerability
CVE-2019-0344 vulnerability in Commerce Cloud, disclosed on August 14, 2019
CVE-2019-0344 vulnerability in Commerce Cloud, disclosed on August 14, 2019
9.8
WhatsApp VOIP Stack Buffer Overflow Vulnerability
CVE-2019-3568 vulnerability in WhatsApp, disclosed on May 14, 2019
CVE-2019-3568 vulnerability in WhatsApp, disclosed on May 14, 2019
9.8
Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9874 vulnerability in CMS and Experience Platform (XP), disclosed on May 31, 2019
CVE-2019-9874 vulnerability in CMS and Experience Platform (XP), disclosed on May 31, 2019
8.8
ThinkPHP Remote Code Execution Vulnerability
CVE-2019-9082 vulnerability in ThinkPHP, disclosed on February 24, 2019
CVE-2019-9082 vulnerability in ThinkPHP, disclosed on February 24, 2019
8.8
Atlassian Confluence Path Traversal Vulnerability
CVE-2019-3398 vulnerability in Confluence, disclosed on April 18, 2019
CVE-2019-3398 vulnerability in Confluence, disclosed on April 18, 2019
8.8
Google Chrome Use-After-Free Vulnerability
CVE-2019-13720 vulnerability in Chrome, disclosed on November 25, 2019
CVE-2019-13720 vulnerability in Chrome, disclosed on November 25, 2019
8.8
Nagios XI Remote Code Execution Vulnerability
CVE-2019-15949 vulnerability in Nagios XI, disclosed on September 5, 2019
CVE-2019-15949 vulnerability in Nagios XI, disclosed on September 5, 2019
8.8
Citrix SD-WAN and NetScaler Command Injection Vulnerability
CVE-2019-12991 vulnerability in SD-WAN and NetScaler, disclosed on July 16, 2019
CVE-2019-12991 vulnerability in SD-WAN and NetScaler, disclosed on July 16, 2019
8.8
Mozilla Firefox and Thunderbird Type Confusion Vulnerability
CVE-2019-11707 vulnerability in Firefox and Thunderbird, disclosed on July 23, 2019
CVE-2019-11707 vulnerability in Firefox and Thunderbird, disclosed on July 23, 2019
8.8
Microsoft MSHTML Engine Remote Code Execution Vulnerability
CVE-2019-0541 vulnerability in MSHTML engine, disclosed on January 8, 2019
CVE-2019-0541 vulnerability in MSHTML engine, disclosed on January 8, 2019
8.8
Microsoft Excel Remote Code Execution Vulnerability
CVE-2019-1297 vulnerability in Excel, disclosed on September 11, 2019
CVE-2019-1297 vulnerability in Excel, disclosed on September 11, 2019
8.8
Microsoft GDI Remote Code Execution Vulnerability
CVE-2019-0903 vulnerability in Graphics Device Interface (GDI), disclosed on May 16, 2019
CVE-2019-0903 vulnerability in Graphics Device Interface (GDI), disclosed on May 16, 2019
8.8
Oracle Solaris Privilege Escalation Vulnerability
CVE-2019-3010 vulnerability in Solaris, disclosed on October 16, 2019
CVE-2019-3010 vulnerability in Solaris, disclosed on October 16, 2019
8.8
Apple Multiple Products Type Confusion Vulnerability
CVE-2019-8506 vulnerability in Multiple Products, disclosed on December 18, 2019
CVE-2019-8506 vulnerability in Multiple Products, disclosed on December 18, 2019
8.8
Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 vulnerability in CMS and Experience Platform (XP), disclosed on May 31, 2019
CVE-2019-9875 vulnerability in CMS and Experience Platform (XP), disclosed on May 31, 2019
8.8
Cisco RV Series Routers Deserialization of Untrusted Data Vulnerability
CVE-2019-15271 vulnerability in RV Series Routers, disclosed on November 26, 2019
CVE-2019-15271 vulnerability in RV Series Routers, disclosed on November 26, 2019
8.1
Drupal Core Remote Code Execution Vulnerability
CVE-2019-6340 vulnerability in Core, disclosed on February 21, 2019
CVE-2019-6340 vulnerability in Core, disclosed on February 21, 2019
8.1
Palo Alto Networks PAN-OS Remote Code Execution Vulnerability
CVE-2019-1579 vulnerability in PAN-OS, disclosed on July 19, 2019
CVE-2019-1579 vulnerability in PAN-OS, disclosed on July 19, 2019
7.8
WinRAR Absolute Path Traversal Vulnerability
CVE-2018-20250 vulnerability in WinRAR, disclosed on February 5, 2019
CVE-2018-20250 vulnerability in WinRAR, disclosed on February 5, 2019
7.8
Microsoft Win32k Privilege Escalation Vulnerability
CVE-2019-1458 vulnerability in Win32k, disclosed on December 10, 2019
CVE-2019-1458 vulnerability in Win32k, disclosed on December 10, 2019
7.8
Apache HTTP Server scoreboard vulnerability
CVE-2019-0211 vulnerability in HTTP Server, disclosed on April 8, 2019
CVE-2019-0211 vulnerability in HTTP Server, disclosed on April 8, 2019
7.8
Microsoft Windows AppX Deployment Service (AppXSVC) Privilege Escalation Vulnerability
CVE-2019-0841 vulnerability in Windows, disclosed on April 9, 2019
CVE-2019-0841 vulnerability in Windows, disclosed on April 9, 2019
7.8
Microsoft Win32k Escalation Kernel Vulnerability
CVE-2019-0803 vulnerability in Win32k, disclosed on April 9, 2019
CVE-2019-0803 vulnerability in Win32k, disclosed on April 9, 2019
7.8
Linux Kernel Improper Privilege Management Vulnerability
CVE-2019-13272 vulnerability in Kernel, disclosed on July 17, 2019
CVE-2019-13272 vulnerability in Kernel, disclosed on July 17, 2019
7.8
Docker Desktop Community Edition Privilege Escalation Vulnerability
CVE-2019-15752 vulnerability in Desktop Community Edition, disclosed on August 28, 2019
CVE-2019-15752 vulnerability in Desktop Community Edition, disclosed on August 28, 2019
7.8
Microsoft Windows Universal Plug and Play (UPnP) Service Privilege Escalation Vulnerability
CVE-2019-1405 vulnerability in Windows, disclosed on November 12, 2019
CVE-2019-1405 vulnerability in Windows, disclosed on November 12, 2019
7.8
Microsoft Windows 7 win32k.sys Driver Vulnerability
CVE-2019-0808 vulnerability in Windows, disclosed on April 9, 2019
CVE-2019-0808 vulnerability in Windows, disclosed on April 9, 2019
7.8
Android "AbstractEmu" Root Access Vulnerabilities
CVE-2019-2215 vulnerability in Android OS, disclosed on October 11, 2019
CVE-2019-2215 vulnerability in Android OS, disclosed on October 11, 2019
7.8
Microsoft Windows Privilege Escalation Vulnerability
CVE-2019-1322 vulnerability in Windows, disclosed on October 10, 2019
CVE-2019-1322 vulnerability in Windows, disclosed on October 10, 2019
7.8
Microsoft Task Scheduler Privilege Escalation Vulnerability
CVE-2019-1069 vulnerability in Task Scheduler, disclosed on June 12, 2019
CVE-2019-1069 vulnerability in Task Scheduler, disclosed on June 12, 2019
7.8
Microsoft Win32k Privilege Escalation Vulnerability
CVE-2019-1132 vulnerability in Win32k, disclosed on July 15, 2019
CVE-2019-1132 vulnerability in Win32k, disclosed on July 15, 2019
7.8
Microsoft Windows AppX Deployment Server Privilege Escalation Vulnerability
CVE-2019-1253 vulnerability in Windows, disclosed on September 11, 2019
CVE-2019-1253 vulnerability in Windows, disclosed on September 11, 2019
7.8
Microsoft Windows AppX Deployment Service (AppXSVC) Privilege Escalation Vulnerability
CVE-2019-1064 vulnerability in Windows, disclosed on June 12, 2019
CVE-2019-1064 vulnerability in Windows, disclosed on June 12, 2019
7.8
Microsoft Windows Error Reporting (WER) Vulnerability
CVE-2019-0863 vulnerability in Windows, disclosed on May 16, 2019
CVE-2019-0863 vulnerability in Windows, disclosed on May 16, 2019
7.8
Microsoft Windows Common Log File System (CLFS) Driver Vulnerability
CVE-2019-1214 vulnerability in Windows, disclosed on September 11, 2019
CVE-2019-1214 vulnerability in Windows, disclosed on September 11, 2019
7.8
Microsoft Win32k Escalation Kernel Vulnerability
CVE-2019-0859 vulnerability in Win32k, disclosed on April 9, 2019
CVE-2019-0859 vulnerability in Win32k, disclosed on April 9, 2019
7.8
Apple Multiple Products Use-After-Free Vulnerability
CVE-2019-8605 vulnerability in Multiple Products, disclosed on December 18, 2019
CVE-2019-8605 vulnerability in Multiple Products, disclosed on December 18, 2019
7.8
Microsoft Windows AppX Deployment Service (AppXSVC) Privilege Escalation Vulnerability
CVE-2019-1129 vulnerability in Windows, disclosed on July 15, 2019
CVE-2019-1129 vulnerability in Windows, disclosed on July 15, 2019
7.8
Microsoft Windows Error Reporting Manager Privilege Escalation Vulnerability
CVE-2019-1315 vulnerability in Windows, disclosed on October 10, 2019
CVE-2019-1315 vulnerability in Windows, disclosed on October 10, 2019
7.8
Microsoft Windows AppX Deployment Service Privilege Escalation Vulnerability
CVE-2019-1130 vulnerability in Windows, disclosed on July 15, 2019
CVE-2019-1130 vulnerability in Windows, disclosed on July 15, 2019
7.8
Apple iOS Memory Corruption Vulnerability
CVE-2019-7287 vulnerability in iOS, disclosed on December 18, 2019
CVE-2019-7287 vulnerability in iOS, disclosed on December 18, 2019
7.8
Microsoft Win32k.sys Driver Vulnerability
CVE-2019-0797 vulnerability in Win32k, disclosed on April 9, 2019
CVE-2019-0797 vulnerability in Win32k, disclosed on April 9, 2019
7.8
Microsoft Windows Privilege Escalation Vulnerability
CVE-2019-0543 vulnerability in Windows, disclosed on January 8, 2019
CVE-2019-0543 vulnerability in Windows, disclosed on January 8, 2019
7.8
Microsoft Windows Certificate Dialog Privilege Escalation Vulnerability
CVE-2019-1388 vulnerability in Windows, disclosed on November 12, 2019
CVE-2019-1388 vulnerability in Windows, disclosed on November 12, 2019
7.8
Microsoft Windows Winsock (ws2ifsl.sys) Vulnerability
CVE-2019-1215 vulnerability in Windows, disclosed on September 11, 2019
CVE-2019-1215 vulnerability in Windows, disclosed on September 11, 2019
7.8
Apple Multiple Products Memory Corruption Vulnerability
CVE-2019-7286 vulnerability in Multiple Products, disclosed on December 18, 2019
CVE-2019-7286 vulnerability in Multiple Products, disclosed on December 18, 2019
7.8
Microsoft Windows Privilege Escalation Vulnerability
CVE-2019-0880 vulnerability in Windows, disclosed on July 15, 2019
CVE-2019-0880 vulnerability in Windows, disclosed on July 15, 2019
7.8
Apple Multiple Products Memory Corruption Vulnerability
CVE-2018-4344 vulnerability in Multiple Products, disclosed on April 3, 2019
CVE-2018-4344 vulnerability in Multiple Products, disclosed on April 3, 2019
7.8
Microsoft Windows AppX Deployment Extensions Privilege Escalation Vulnerability
CVE-2019-1385 vulnerability in Windows, disclosed on November 12, 2019
CVE-2019-1385 vulnerability in Windows, disclosed on November 12, 2019
7.8
Apple macOS Use-After-Free Vulnerability
CVE-2019-8526 vulnerability in macOS, disclosed on December 18, 2019
CVE-2019-8526 vulnerability in macOS, disclosed on December 18, 2019
7.5
Apache Solr 5.0.0-8.3.1 Remote Code Execution Vulnerability
CVE-2019-17558 vulnerability in Solr, disclosed on December 30, 2019
CVE-2019-17558 vulnerability in Solr, disclosed on December 30, 2019
7.5
Cisco RV320 and RV325 Routers Improper Access Control Vulnerability (COVID-19-CTI list)
CVE-2019-1653 vulnerability in RV320 and RV325 Routers, disclosed on January 24, 2019
CVE-2019-1653 vulnerability in RV320 and RV325 Routers, disclosed on January 24, 2019
7.5
SonicWall SMA100 9.0.0.3 and Earlier SQL Injection
CVE-2019-7481 vulnerability in SMA100, disclosed on December 17, 2019
CVE-2019-7481 vulnerability in SMA100, disclosed on December 17, 2019
7.5
TVT NVMS-1000 Directory Traversal
CVE-2019-20085 vulnerability in NVMS-1000, disclosed on December 30, 2019
CVE-2019-20085 vulnerability in NVMS-1000, disclosed on December 30, 2019
7.5
Microsoft Internet Explorer Type Confusion Vulnerability
CVE-2019-0752 vulnerability in Internet Explorer, disclosed on April 9, 2019
CVE-2019-0752 vulnerability in Internet Explorer, disclosed on April 9, 2019
Report Last Updated: July 5, 2025