Search
On this page ▾

KEV 2019

118 CISA Known Exploited Vulnerabilities from 2019

Critical 40

February 2026

CVE-2019-19006

Sangoma FreePBX — Sangoma FreePBX Improper Authentication Vulnerability

CVSS 9.8

March 2025

CVE-2019-9874

Sitecore CMS and Experience Platform (XP) — Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability

CVSS 9.8

November 2024

CVE-2019-16278

Nostromo nhttpd — Nostromo nhttpd Directory Traversal Vulnerability

CVSS 9.8

September 2024

CVE-2019-0344

SAP Commerce Cloud — SAP Commerce Cloud Deserialization of Untrusted Data Vulnerability

CVSS 9.8

March 2024

CVE-2019-7256

Nice Linear eMerge E3-Series — Nice Linear eMerge E3-Series OS Command Injection Vulnerability

CVSS 9.8

June 2023

CVE-2019-17621

D-Link DIR-859 Router — D-Link DIR-859 Router Command Execution Vulnerability

CVSS 9.8

June 2022

CVE-2019-7192

QNAP Photo Station — QNAP Photo Station Improper Access Control Vulnerability

CVSS 9.8
CVE-2019-7193

QNAP QTS — QNAP QTS Improper Input Validation Vulnerability

CVSS 9.8
CVE-2019-7194

QNAP Photo Station — QNAP Photo Station Path Traversal Vulnerability

CVSS 9.8
CVE-2019-7195

QNAP Photo Station — QNAP Photo Station Path Traversal Vulnerability

CVSS 9.8

May 2022

CVE-2019-11708

Mozilla Firefox and Thunderbird — Mozilla Firefox and Thunderbird Sandbox Escape Vulnerability

CVSS 10

April 2022

CVE-2019-1003029

Jenkins Script Security Plugin — Jenkins Script Security Plugin Sandbox Bypass Vulnerability

CVSS 9.9
CVE-2019-3568

Meta Platforms WhatsApp — WhatsApp VOIP Stack Buffer Overflow Vulnerability

CVSS 9.8
CVE-2019-16057

D-Link DNS-320 Storage Device — D-Link DNS-320 Remote Code Execution Vulnerability

CVSS 9.8
CVE-2019-3929

Crestron Multiple Products — Crestron Multiple Products Command Injection Vulnerability

CVSS 9.8

March 2022

CVE-2019-1003030

Jenkins Matrix Project Plugin — Jenkins Matrix Project Plugin Remote Code Execution Vulnerability

CVSS 9.9
CVE-2019-10068

Kentico Xperience — Kentico Xperience Deserialization of Untrusted Data Vulnerability

CVSS 9.8
CVE-2019-12989

Citrix SD-WAN and NetScaler — Citrix SD-WAN and NetScaler SQL Injection Vulnerability

CVSS 9.8
CVE-2019-15107

Webmin Webmin — Webmin Command Injection Vulnerability

CVSS 9.8
CVE-2019-16920

D-Link Multiple Routers — D-Link Multiple Routers Command Injection Vulnerability

CVSS 9.8
CVE-2019-11581

Atlassian Jira Server and Data Center — Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability

CVSS 9.8
CVE-2019-16928

Exim Exim Internet Mailer — Exim Out-of-bounds Write Vulnerability

CVSS 9.8

January 2022

CVE-2019-7609

Elastic Kibana — Kibana Arbitrary Code Execution

CVSS 10
CVE-2019-10149

Exim Mail Transfer Agent (MTA) — Exim Mail Transfer Agent (MTA) Improper Input Validation

CVSS 9.8
CVE-2019-2725

Oracle WebLogic Server — Oracle WebLogic Server, Injection

CVSS 9.8
CVE-2019-9670

Synacor Zimbra Collaboration Suite (ZCS) — Synacor Zimbra Collaboration Suite (ZCS) Improper Restriction of XML External Entity Reference

CVSS 9.8

December 2021

CVE-2019-10758

MongoDB mongo-express — MongoDB mongo-express Remote Code Execution Vulnerability

CVSS 9.9
CVE-2019-7238

Sonatype Nexus Repository Manager — Sonatype Nexus Repository Manager Incorrect Access Control Vulnerability

CVSS 9.8

November 2021

CVE-2019-11510

Ivanti Pulse Connect Secure — Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability

CVSS 10
CVE-2019-0604

Microsoft SharePoint — Microsoft SharePoint Remote Code Execution Vulnerability

CVSS 9.8
CVE-2019-0708

Microsoft RDP 'BlueKeep' — Use-After-Free in Remote Desktop Services Allows Wormable Pre-Auth Remote Code Execution

CVSS 9.8
CVE-2019-11580

Atlassian Crowd and Crowd Data Center — Atlassian Crowd and Crowd Data Center Remote Code Execution Vulnerability

CVSS 9.8
CVE-2019-11634

Citrix Workspace Application and Receiver for Windows — Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability

CVSS 9.8
CVE-2019-16256

SIMalliance Toolbox Browser — SIMalliance Toolbox Browser Command Injection Vulnerability

CVSS 9.8
CVE-2019-16759

vBulletin vBulletin — vBulletin PHP Module Remote Code Execution Vulnerability

CVSS 9.8
CVE-2019-18935

Progress Telerik UI for ASP.NET AJAX — Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability

CVSS 9.8
CVE-2019-19781

Citrix ADC/NetScaler — Path Traversal Enables Unauthenticated Remote Code Execution; 6-Week Unpatched Window Drives Mass Exploitation

CVSS 9.8
CVE-2019-3396

Atlassian Confluence Server and Data Server — Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability

CVSS 9.8
CVE-2019-4716

IBM Planning Analytics — IBM Planning Analytics Remote Code Execution Vulnerability

CVSS 9.8
CVE-2019-5544

VMware VMware ESXi and Horizon DaaS — VMware ESXi and Horizon DaaS OpenSLP Heap-Based Buffer Overflow Vulnerability

CVSS 9.8

High 70

July 2025

CVE-2019-5418

Rails Ruby on Rails — Rails Ruby on Rails Path Traversal Vulnerability

CVSS 7.5
CVE-2019-9621

Synacor Zimbra Collaboration Suite (ZCS) — Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability

CVSS 7.5

March 2025

CVE-2019-9875

Sitecore CMS and Experience Platform (XP) — Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability

CVSS 8.8

December 2024

CVE-2019-11001

Reolink Multiple IP Cameras — Reolink Multiple IP Cameras OS Command Injection Vulnerability

CVSS 7.2

June 2023

CVE-2019-20500

D-Link DWL-2600AP Access Point — D-Link DWL-2600AP Access Point Command Injection Vulnerability

CVSS 7.8

April 2023

CVE-2019-8526

Apple macOS — Apple macOS Use-After-Free Vulnerability

CVSS 7.8
CVE-2019-1388

Microsoft Windows — Microsoft Windows Certificate Dialog Privilege Escalation Vulnerability

CVSS 7.8

June 2022

CVE-2019-15271

Cisco RV Series Routers — Cisco RV Series Routers Deserialization of Untrusted Data Vulnerability

CVSS 8.8
CVE-2019-8605

Apple Multiple Products — Apple Multiple Products Use-After-Free Vulnerability

CVSS 7.8

May 2022

CVE-2019-3010

Oracle Solaris — Oracle Solaris Privilege Escalation Vulnerability

CVSS 8.8
CVE-2019-11707

Mozilla Firefox and Thunderbird — Mozilla Firefox and Thunderbird Type Confusion Vulnerability

CVSS 8.8
CVE-2019-13720

Google Chrome WebAudio — Google Chrome WebAudio Use-After-Free Vulnerability

CVSS 8.8
CVE-2019-8720

WebKitGTK WebKitGTK — WebKitGTK Memory Corruption Vulnerability

CVSS 8.8
CVE-2019-8506

Apple Multiple Products — Apple Multiple Products Type Confusion Vulnerability

CVSS 8.8
CVE-2019-18426

Meta Platforms WhatsApp — WhatsApp Cross-Site Scripting Vulnerability

CVSS 8.2
CVE-2019-0880

Microsoft Windows — Microsoft Windows Privilege Escalation Vulnerability

CVSS 7.8
CVE-2019-1130

Microsoft Windows — Microsoft Windows AppX Deployment Service Privilege Escalation Vulnerability

CVSS 7.8
CVE-2019-1385

Microsoft Windows — Microsoft Windows AppX Deployment Extensions Privilege Escalation Vulnerability

CVSS 7.8
CVE-2019-7286

Apple Multiple Products — Apple Multiple Products Memory Corruption Vulnerability

CVSS 7.8
CVE-2019-7287

Apple iOS — Apple iOS Memory Corruption Vulnerability

CVSS 7.8

March 2022

CVE-2019-0903

Microsoft Graphics Device Interface (GDI) — Microsoft GDI Remote Code Execution Vulnerability

CVSS 8.8
CVE-2019-12991

Citrix SD-WAN and NetScaler — Citrix SD-WAN and NetScaler Command Injection Vulnerability

CVSS 8.8
CVE-2019-1297

Microsoft Excel — Microsoft Excel Remote Code Execution Vulnerability

CVSS 8.8
CVE-2019-11043

PHP FastCGI Process Manager (FPM) — PHP FastCGI Process Manager (FPM) Buffer Overflow Vulnerability

CVSS 8.7
CVE-2019-6340

Drupal Core — Drupal Core Remote Code Execution Vulnerability

CVSS 8.1
CVE-2019-0543

Microsoft Windows — Microsoft Windows Privilege Escalation Vulnerability

CVSS 7.8
CVE-2019-0841

Microsoft Windows — Microsoft Windows AppX Deployment Service (AppXSVC) Privilege Escalation Vulnerability

CVSS 7.8
CVE-2019-1064

Microsoft Windows — Microsoft Windows AppX Deployment Service (AppXSVC) Privilege Escalation Vulnerability

CVSS 7.8
CVE-2019-1069

Microsoft Task Scheduler — Microsoft Task Scheduler Privilege Escalation Vulnerability

CVSS 7.8
CVE-2019-1129

Microsoft Windows — Microsoft Windows AppX Deployment Service (AppXSVC) Privilege Escalation Vulnerability

CVSS 7.8
CVE-2019-1132

Microsoft Win32k — Microsoft Win32k Privilege Escalation Vulnerability

CVSS 7.8
CVE-2019-1253

Microsoft Windows — Microsoft Windows AppX Deployment Server Privilege Escalation Vulnerability

CVSS 7.8
CVE-2019-1315

Microsoft Windows — Microsoft Windows Error Reporting Manager Privilege Escalation Vulnerability

CVSS 7.8
CVE-2019-1322

Microsoft Windows — Microsoft Windows Privilege Escalation Vulnerability

CVSS 7.8
CVE-2019-1405

Microsoft Windows — Microsoft Windows Universal Plug and Play (UPnP) Service Privilege Escalation Vulnerability

CVSS 7.8
CVE-2019-7483

SonicWall SMA100 — SonicWall SMA100 Directory Traversal Vulnerability

CVSS 7.5
CVE-2019-2616

Oracle BI Publisher (Formerly XML Publisher) — Oracle BI Publisher Unauthorized Access Vulnerability

CVSS 7.2
CVE-2019-1652

Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers — Cisco Small Business Routers Improper Input Validation Vulnerability

CVSS 7.2

February 2022

CVE-2019-0752

Microsoft Internet Explorer — Microsoft Internet Explorer Type Confusion Vulnerability

CVSS 7.5

January 2022

CVE-2019-1579

Palo Alto Networks PAN-OS — Palo Alto Networks PAN-OS Remote Code Execution Vulnerability

CVSS 8.1
CVE-2019-1458

Microsoft Win32k — Microsoft Win32k Privilege Escalation Vulnerability

CVSS 7.8

December 2021

CVE-2019-13272

Linux Kernel — Linux Kernel Improper Privilege Management Vulnerability

CVSS 7.8
CVE-2019-0193

Apache Solr — Apache Solr DataImportHandler Code Injection Vulnerability

CVSS 7.2

November 2021

CVE-2019-0541

Microsoft MSHTML — Microsoft MSHTML Remote Code Execution Vulnerability

CVSS 8.8
CVE-2019-15949

Nagios Nagios XI — Nagios XI Remote Code Execution Vulnerability

CVSS 8.8
CVE-2019-17026

Mozilla Firefox and Thunderbird — Mozilla Firefox And Thunderbird Type Confusion Vulnerability

CVSS 8.8
CVE-2019-3398

Atlassian Confluence Server and Data Center — Atlassian Confluence Server and Data Center Path Traversal Vulnerability

CVSS 8.8
CVE-2019-9082

ThinkPHP ThinkPHP — ThinkPHP Remote Code Execution Vulnerability

CVSS 8.8
CVE-2019-0211

Apache HTTP Server — Apache HTTP Server Privilege Escalation Vulnerability

CVSS 7.8
CVE-2019-0797

Microsoft Win32k — Microsoft Win32k Privilege Escalation Vulnerability

CVSS 7.8
CVE-2019-0803

Microsoft Win32k — Microsoft Win32k Privilege Escalation Vulnerability

CVSS 7.8
CVE-2019-0808

Microsoft Win32k — Microsoft Win32k Privilege Escalation Vulnerability

CVSS 7.8
CVE-2019-0859

Microsoft Win32k — Microsoft Win32k Privilege Escalation Vulnerability

CVSS 7.8
CVE-2019-0863

Microsoft Windows — Microsoft Windows Error Reporting (WER) Privilege Escalation Vulnerability

CVSS 7.8
CVE-2019-1214

Microsoft Windows — Microsoft Windows Privilege Common Log File System (CLFS) Escalation Vulnerability

CVSS 7.8
CVE-2019-1215

Microsoft Windows — Microsoft Windows Privilege Escalation Vulnerability

CVSS 7.8
CVE-2019-15752

Docker Desktop Community Edition — Docker Desktop Community Edition Privilege Escalation Vulnerability

CVSS 7.8
CVE-2019-2215

Android Android Kernel — Android Kernel Use-After-Free Vulnerability

CVSS 7.8
CVE-2019-13608

Citrix StoreFront Server — Citrix StoreFront Server XML External Entity (XXE) Processing Vulnerability

CVSS 7.5
CVE-2019-1367

Microsoft Internet Explorer — Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability

CVSS 7.5
CVE-2019-1429

Microsoft Internet Explorer — Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability

CVSS 7.5
CVE-2019-1653

Cisco Small Business RV320 and RV325 Routers — Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability

CVSS 7.5
CVE-2019-17558

Apache Solr — Apache Solr VelocityResponseWriter Plug-In Remote Code Execution Vulnerability

CVSS 7.5
CVE-2019-18187

Trend Micro OfficeScan — Trend Micro OfficeScan Directory Traversal Vulnerability

CVSS 7.5
CVE-2019-19356

Netis WF2419 Devices — Netis WF2419 Devices Remote Code Execution Vulnerability

CVSS 7.5
CVE-2019-20085

TVT NVMS-1000 — TVT NVMS-1000 Directory Traversal Vulnerability

CVSS 7.5
CVE-2019-6223

Apple iOS and macOS — Apple iOS and macOS Group Facetime Vulnerability

CVSS 7.5
CVE-2019-7481

SonicWall SMA100 — SonicWall SMA100 SQL Injection Vulnerability

CVSS 7.5
CVE-2019-11539

Ivanti Pulse Connect Secure and Pulse Policy Secure — Ivanti Pulse Connect Secure and Policy Secure Command Injection Vulnerability

CVSS 7.2
CVE-2019-18988

TeamViewer Desktop — TeamViewer Desktop Bypass Remote Login Vulnerability

CVSS 7

Medium 8

June 2025

CVE-2019-6693

Fortinet FortiOS — Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability

CVSS 6.5

June 2022

CVE-2019-5825

Google Chromium V8 — Google Chromium V8 Out-of-Bounds Write Vulnerability

CVSS 6.5

May 2022

CVE-2019-0676

Microsoft Internet Explorer — Microsoft Internet Explorer Information Disclosure Vulnerability

CVSS 6.5
CVE-2019-0703

Microsoft Windows — Microsoft Windows SMB Information Disclosure Vulnerability

CVSS 6.5
CVE-2019-5786

Google Chrome Blink — Google Chrome Blink Use-After-Free Vulnerability

CVSS 6.5

November 2021

CVE-2019-5591

Fortinet FortiOS — Fortinet FortiOS Default Configuration Vulnerability

CVSS 6.5
CVE-2019-8394

Zoho ManageEngine — Zoho ManageEngine ServiceDesk Plus (SDP) File Upload Vulnerability

CVSS 6.5
CVE-2019-9978

WordPress Social Warfare Plugin — WordPress Social Warfare Plugin Cross-Site Scripting (XSS) Vulnerability

CVSS 6.1
Gavin Hollinger & AI assembled this air-gap friendly HTML