LiveActive security incident?Get immediate response
CVE archive

January 2019

Browse CVE records published in January 2019, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 1090 matching CVEs · Page 1 of 22.

Critical · CVSS 9.8

CVE-2019-25296: WP Cost Estimation <= 9.642 - Missing Authorization to Arbitrary File Upload/Delete

The WP Cost Estimation plugin for WordPress is vulnerable to arbitrary file uploads and deletion due to missing file type validation in the lfb_upload_form and lfb_removeFile AJAX actions in versions up to, and including, 9.642. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. Additionally, the attacker can also delete files on the server such as database configuration files, subsequently uploading their own database files.

Published Jan 8, 2026 · Updated Apr 8, 2026

Medium · CVSS 6.5

CVE-2019-25295: WP Cost Estimation < 9.660 - Upload Directory Traversal

The WP Cost Estimation plugin for WordPress is vulnerable to Upload Directory Traversal in versions before 9.660 via the uploadFormFiles function. This allows attackers to overwrite any file with a whitelisted type on an affected site.

Published Jan 8, 2026 · Updated Apr 8, 2026

High · CVSS 8.8

CVE-2019-25289: INIM Electronics SmartLiving SmartLAN/G/SI <=6.x Remote Command Execution

SmartLiving SmartLAN <=6.x contains an authenticated remote command injection vulnerability in the web.cgi binary through the 'par' POST parameter with the 'testemail' module. Attackers can exploit the unsanitized parameter and system() function call to execute arbitrary system commands with root privileges using default credentials.

Published Jan 7, 2026 · Updated Mar 23, 2026

Medium · CVSS 6.1

CVE-2019-25277: FaceSentry Access Control System 6.4.8 Reflected Cross-Site Scripting via pluginInstall.php

FaceSentry Access Control System 6.4.8 contains a cross-site scripting vulnerability in the 'msg' parameter of pluginInstall.php that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated input to execute arbitrary JavaScript in victim browsers, potentially stealing authentication credentials and conducting phishing attacks.

Published Jan 7, 2026 · Updated Mar 5, 2026

Critical · CVSS 9.8

CVE-2019-25232: NetPCLinker 1.0.0.0 - Buffer Overflow

NetPCLinker 1.0.0.0 contains a buffer overflow vulnerability in the Clients Control Panel DNS/IP field that allows attackers to execute arbitrary shellcode. Attackers can craft a malicious payload in the DNS/IP input to overwrite SEH handlers and execute shellcode when adding a new client.

Published Jan 30, 2026 · Updated Feb 3, 2026

Medium · CVSS 5.1

CVE-2019-25297: Poll, Survey & Quiz Maker Plugin by Opinion Stage < 19.6.25 Stored XSS

Poll, Survey & Quiz Maker Plugin by Opinion Stage Wordpress plugin versions prior to 19.6.25 contain a stored cross-site scripting (XSS) vulnerability via multiple parameters due to insufficient input validation and output escaping. An unauthenticated attacker can inject arbitrary script into content that executes when a victim views an affected page.

Published Jan 16, 2026 · Updated Jan 16, 2026

High · CVSS 7.5

CVE-2019-25279: FaceSentry Access Control System 6.4.8 Cleartext Password Storage Vulnerability

FaceSentry Access Control System 6.4.8 contains a cleartext password storage vulnerability that allows attackers to access unencrypted credentials in the device's SQLite database. Attackers can directly read sensitive login information stored in /faceGuard/database/FaceSentryWeb.sqlite without additional authentication.

Published Jan 7, 2026 · Updated Jan 16, 2026

High · CVSS 7.8 · CISA KEV

CVE-2019-0543: An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka...

An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka "Microsoft Windows Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

Published Jan 8, 2019 · Updated Jan 12, 2026

High · CVSS 8.5

CVE-2019-25231: devolo dLAN Cockpit 4.3.1 Unquoted Service Path Privilege Escalation

devolo dLAN Cockpit 4.3.1 contains an unquoted service path vulnerability in the 'DevoloNetworkService' that allows local non-privileged users to potentially execute arbitrary code. Attackers can exploit the insecure service path configuration by inserting malicious code in the system root path to execute with elevated privileges during application startup or system reboot.

Published Jan 7, 2026 · Updated Jan 8, 2026

Medium · CVSS 5.3

CVE-2019-25259: Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 Cross-Site Request Forgery

Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can trick logged-in users into executing unauthorized actions by crafting malicious web pages that submit requests to the application.

Published Jan 7, 2026 · Updated Jan 8, 2026

Critical · CVSS 9.8

CVE-2019-25268: NREL BEopt 2.8.0 Insecure Library Loading Arbitrary Code Execution

NREL BEopt 2.8.0.0 contains a DLL hijacking vulnerability that allows attackers to load arbitrary libraries by tricking users into opening application files from remote shares. Attackers can exploit insecure library loading of sdl2.dll and libegl.dll by placing malicious libraries on WebDAV or SMB shares to execute unauthorized code.

Published Jan 7, 2026 · Updated Jan 8, 2026

Medium · CVSS 6.1

CVE-2019-25280: Yahei-PHP Prober 0.4.7 Remote HTML Injection via Speed Parameter

Yahei-PHP Prober 0.4.7 contains a remote HTML injection vulnerability that allows attackers to execute arbitrary HTML code through the 'speed' GET parameter. Attackers can inject malicious HTML code in the 'speed' parameter of prober.php to trigger cross-site scripting in user browser sessions.

Published Jan 7, 2026 · Updated Jan 8, 2026

Medium · CVSS 5.9

CVE-2019-6111: An issue was discovered in OpenSSH 7.9.

An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).

Published Jan 31, 2019 · Updated Dec 18, 2025

High · CVSS 8.8 · CISA KEV

CVE-2019-0541: A remote code execution vulnerability exists in the way that the MSHTML engine inproperly validates input,...

A remote code execution vulnerability exists in the way that the MSHTML engine inproperly validates input, aka "MSHTML Engine Remote Code Execution Vulnerability." This affects Microsoft Office, Microsoft Office Word Viewer, Internet Explorer 9, Internet Explorer 11, Microsoft Excel Viewer, Internet Explorer 10, Office 365 ProPlus.

Published Jan 8, 2019 · Updated Oct 21, 2025

High · CVSS 7.2 · CISA KEV

CVE-2019-1652: Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability

A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands. The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root. Cisco has released firmware updates that address this vulnerability.

Published Jan 24, 2019 · Updated Oct 21, 2025

High · CVSS 7.5 · CISA KEV

CVE-2019-1653: Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability

A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability.

Published Jan 24, 2019 · Updated Oct 21, 2025

Unknown · CVSS Not scored

CVE-2019-6446: An issue was discovered in NumPy before 1.16.3.

An issue was discovered in NumPy before 1.16.3. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources.

Published Jan 16, 2019 · Updated Jul 21, 2025

High · CVSS 7.1

CVE-2019-13939: A vulnerability has been identified in APOGEE MEC/MBC/PXC (P2) (All versions < V2.8.2), APOGEE PXC Compact...

A vulnerability has been identified in APOGEE MEC/MBC/PXC (P2) (All versions < V2.8.2), APOGEE PXC Compact (BACnet) (All versions < V3.5.3), APOGEE PXC Compact (P2 Ethernet) (All versions >= V2.8.2 < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.3), APOGEE PXC Modular (P2 Ethernet) (All versions >= V2.8.2 < V2.8.19), Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), Desigo PXC00-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC00-U (All versions >= V2.3x and < V6.00.327), Desigo PXC001-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC100-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC12-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC128-U (All versions >= V2.3x and < V6.00.327), Desigo PXC200-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC22-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC22.1-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC36.1-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC50-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC64-U (All versions >= V2.3x and < V6.00.327), Desigo PXM20-E (All versions >= V2.3 < V6.0.327), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus Source Code (All versions), SIMOTICS CONNECT 400 (All versions < V0.3.0.330), TALON TC Compact (BACnet) (All versions < V3.5.3), TALON TC Modular (BACnet) (All versions < V3.5.3). By sending specially crafted DHCP packets to a device where the DHCP client is enabled, an attacker could change the IP address of the device to an invalid value.

Published Jan 16, 2020 · Updated Jun 10, 2025

High · CVSS 7.5

CVE-2019-5747: An issue was discovered in BusyBox through 1.30.0.

An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679.

Published Jan 9, 2019 · Updated Jun 9, 2025

Low · CVSS 3.3

CVE-2019-25093: dragonexpert Recent Threads on Index Setting hooks.php recentthread_list_threads cross site scripting

A vulnerability, which was classified as problematic, was found in dragonexpert Recent Threads on Index. Affected is the function recentthread_list_threads of the file inc/plugins/recentthreads/hooks.php of the component Setting Handler. The manipulation of the argument recentthread_forumskip leads to cross site scripting. It is possible to launch the attack remotely. The patch is identified as 051465d807a8fcc6a8b0f4bcbb19299672399f48. It is recommended to apply a patch to fix this issue. VDB-217182 is the identifier assigned to this vulnerability.

Published Jan 2, 2023 · Updated May 28, 2025

Medium · CVSS 5.5

CVE-2019-25099: Arthmoor QSF-Portal index.php path traversal

A vulnerability classified as critical was found in Arthmoor QSF-Portal. This vulnerability affects unknown code of the file index.php. The manipulation of the argument a leads to path traversal. The patch is identified as ea4f61e23ecb83247d174bc2e2cbab521c751a7d. It is recommended to apply a patch to fix this issue. VDB-217558 is the identifier assigned to this vulnerability.

Published Jan 6, 2023 · Updated Apr 10, 2025

Medium · CVSS 5.4

CVE-2019-0556: A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly saniti...

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft Office SharePoint XSS Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2019-0557, CVE-2019-0558.

Published Jan 8, 2019 · Updated Feb 28, 2025

Medium · CVSS 5.4

CVE-2019-0557: A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly saniti...

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft Office SharePoint XSS Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2019-0556, CVE-2019-0558.

Published Jan 8, 2019 · Updated Feb 28, 2025

Medium · CVSS 5.4

CVE-2019-0558: A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly saniti...

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft Office SharePoint XSS Vulnerability." This affects Microsoft SharePoint Server, Microsoft SharePoint, Microsoft Business Productivity Servers. This CVE ID is unique from CVE-2019-0556, CVE-2019-0557.

Published Jan 8, 2019 · Updated Feb 28, 2025

Medium · CVSS 4.1

CVE-2019-3811: A vulnerability was found in sssd.

A vulnerability was found in sssd. If a user was configured with no home directory set, sssd would return '/' (the root directory) instead of '' (the empty string / no home directory). This could impact services that restrict the user's filesystem access to within their home directory through chroot() etc. All versions before 2.1 are vulnerable.

Published Jan 15, 2019 · Updated Feb 13, 2025

Medium · CVSS 6.7

CVE-2019-14866: In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives.

In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.

Published Jan 7, 2020 · Updated Feb 13, 2025

Medium · CVSS 6.1

CVE-2019-1642: Cisco Firepower Management Center Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected software. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Published Jan 23, 2019 · Updated Nov 21, 2024

Medium · CVSS 6.1

CVE-2019-1643: Cisco Prime Infrastructure Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected software. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Published Jan 23, 2019 · Updated Nov 21, 2024

Medium · CVSS 4.3

CVE-2019-1645: Cisco Connected Mobile Experiences Information Disclosure Vulnerability

A vulnerability in the Cisco Connected Mobile Experiences (CMX) software could allow an unauthenticated, adjacent attacker to access sensitive data on an affected device. The vulnerability is due to a lack of input and validation checking mechanisms for certain GET requests to API's on an affected device. An attacker could exploit this vulnerability by sending HTTP GET requests to an affected device. An exploit could allow the attacker to use this information to conduct additional reconnaissance attacks.

Published Jan 24, 2019 · Updated Nov 21, 2024

Medium · CVSS 6.1

CVE-2019-1655: Cisco Webex Meetings Server Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface of the affected software. The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Published Jan 24, 2019 · Updated Nov 21, 2024

Medium · CVSS 5.3

CVE-2019-1656: Cisco Enterprise NFV Infrastructure Software Linux Shell Access Vulnerability

A vulnerability in the CLI of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to access the shell of the underlying Linux operating system on the affected device. The vulnerability is due to improper input validation in the affected software. An attacker could exploit this vulnerability by sending crafted commands to the affected device. An exploit could allow the attacker to gain shell access with a nonroot user account to the underlying Linux operating system on the affected device and potentially access system configuration files with sensitive information. This vulnerability only affects console connections from CIMC. It does not apply to remote connections, such as telnet or SSH.

Published Jan 24, 2019 · Updated Nov 21, 2024