LiveActive security incident?Get immediate response
CVE archive

March 2019

Browse CVE records published in March 2019, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 1600 matching CVEs · Page 2 of 32.

High · CVSS 8.6

CVE-2019-25603: TuneClone 2.20 Structured Exception Handler Buffer Overflow

TuneClone 2.20 contains a structured exception handler (SEH) buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious license code string. Attackers can craft a payload with a controlled buffer, NSEH jump instruction, and SEH handler address pointing to a ROP gadget, then paste it into the license code field to trigger code execution and establish a bind shell.

Published Mar 22, 2026 · Updated Mar 25, 2026

Medium · CVSS 6.9

CVE-2019-25597: NSauditor 3.1.2.0 Denial of Service via Community Field

NSauditor 3.1.2.0 contains a buffer overflow vulnerability in the SNMP Auditor Community field that allows local attackers to crash the application by supplying an excessively long string. Attackers can paste a large payload into the Community field and trigger the Walk function to cause a denial of service condition.

Published Mar 22, 2026 · Updated Mar 25, 2026

High · CVSS 8.8

CVE-2019-25636: Zeeways Jobsite CMS Lastest SQL Injection via id Parameter

Zeeways Jobsite CMS contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' GET parameter. Attackers can send crafted requests to news_details.php, jobs_details.php, or job_cmp_details.php with malicious 'id' values using GROUP BY and CASE statements to extract sensitive database information.

Published Mar 24, 2026 · Updated Mar 24, 2026

High · CVSS 8.8

CVE-2019-25642: Bootstrapy CMS Lastest Multiple SQL Injection via Forum and Contact Modules

Bootstrapy CMS contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through POST parameters. Attackers can inject SQL payloads into the thread_id parameter of forum-thread.php, the subject parameter of contact-submit.php, the post-id parameter of post-new-submit.php, and the thread-id parameter to extract sensitive database information or cause denial of service.

Published Mar 24, 2026 · Updated Mar 24, 2026

Medium · CVSS 6.8

CVE-2019-25564: PCHelpWareV2 1.0.0.5 Denial of Service via Group Field

PCHelpWareV2 1.0.0.5 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Group field. Attackers can paste a buffer overflow payload into the Group property field and click Ok to trigger an application crash.

Published Mar 21, 2026 · Updated Mar 24, 2026

Medium · CVSS 6.8

CVE-2019-25570: RealTerm Serial Terminal 2.0.0.70 Denial of Service via Port Field

RealTerm Serial Terminal 2.0.0.70 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Port field. Attackers can paste a buffer of 1000 characters into the Port input field and click the open button to trigger a crash.

Published Mar 21, 2026 · Updated Mar 24, 2026

High · CVSS 8.8

CVE-2019-25576: Kepler Wallpaper Script 1.1 SQL Injection via category

Kepler Wallpaper Script 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the category parameter. Attackers can send GET requests to the category endpoint with URL-encoded SQL UNION statements to extract database information including usernames, database names, and MySQL version details.

Published Mar 21, 2026 · Updated Mar 24, 2026

High · CVSS 7.1

CVE-2019-25582: i-doit CMDB 1.12 Arbitrary File Download via file_manager Parameter

i-doit CMDB 1.12 contains an arbitrary file download vulnerability that allows authenticated attackers to download sensitive files by manipulating the file parameter in index.php. Attackers can send GET requests to index.php with file_manager=image and supply arbitrary file paths like src/config.inc.php to retrieve configuration files and sensitive system data.

Published Mar 21, 2026 · Updated Mar 24, 2026

Medium · CVSS 6.9

CVE-2019-25588: BulletProof FTP Server 2019.0.0.50 Denial of Service via DNS Address

BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the DNS Address field that allows local attackers to crash the application by supplying an excessively long string. Attackers can enable the DNS Address option in the Firewall settings and paste a buffer of 700 bytes to trigger a crash when the Test function is invoked.

Published Mar 22, 2026 · Updated Mar 24, 2026

Medium · CVSS 6.9

CVE-2019-25594: ASPRunner.NET 10.1 Denial of Service via Table Name Field

ASPRunner.NET 10.1 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the table name field. Attackers can input a buffer of 10000 characters in the table name parameter during database table creation to trigger an application crash.

Published Mar 22, 2026 · Updated Mar 24, 2026

High · CVSS 7.1

CVE-2019-25600: UltraVNC Viewer 1.2.2.4 Denial of Service via Buffer Overflow

UltraVNC Viewer 1.2.2.4 contains a denial of service vulnerability that allows attackers to crash the application by supplying an oversized string to the VNC Server input field. Attackers can paste a malicious string containing 256 repeated characters into the VNC Server field and click Connect to trigger a buffer overflow that crashes the viewer.

Published Mar 22, 2026 · Updated Mar 24, 2026

Medium · CVSS 6.8

CVE-2019-25606: Fast AVI MPEG Joiner 1.2.0812 Buffer Overflow Denial of Service

Fast AVI MPEG Joiner 1.2.0812 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized payload in the License Name field. Attackers can create a malicious text file containing 6000 bytes of data and paste it into the License Name input field to trigger a denial of service condition when the Register button is clicked.

Published Mar 22, 2026 · Updated Mar 24, 2026

High · CVSS 8.5

CVE-2019-25612: Admin Express 1.2.5.485 Local SEH Buffer Overflow via Folder Path

Admin Express 1.2.5.485 contains a local structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an alphanumeric encoded payload in the Folder Path field. Attackers can trigger the vulnerability through the System Compare feature by pasting a crafted buffer overflow payload into the left-hand side Folder Path field and clicking the scale icon to execute shellcode with application privileges.

Published Mar 22, 2026 · Updated Mar 24, 2026

Medium · CVSS 6.9

CVE-2019-25618: AdminExpress 1.2.5 Denial of Service via System Compare

AdminExpress 1.2.5 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input through the System Compare feature. Attackers can paste a large buffer of characters into the Folder Path field and trigger the comparison function to cause the application to become unresponsive or crash.

Published Mar 22, 2026 · Updated Mar 24, 2026

Medium · CVSS 6.9

CVE-2019-25624: Liquid Studio 2.17 Denial of Service via Malformed Input

Liquid Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can trigger the vulnerability by entering arbitrary characters during application runtime, causing the application to become unresponsive or terminate abnormally.

Published Mar 23, 2026 · Updated Mar 24, 2026

High · CVSS 8.6

CVE-2019-25629: AIDA64 Extreme 5.99.4900 SEH Buffer Overflow via Logging

AIDA64 Extreme 5.99.4900 contains a structured exception handler buffer overflow vulnerability in the logging functionality that allows local attackers to execute arbitrary code by supplying a malicious CSV log file path. Attackers can inject shellcode through the Hardware Monitoring logging preferences to overflow the buffer and trigger code execution when the application processes the log file path.

Published Mar 24, 2026 · Updated Mar 24, 2026

High · CVSS 8.8

CVE-2019-25635: Zeeways Matrimony CMS Lastest SQL Injection via profile_list

Zeeways Matrimony CMS contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through the profile_list endpoint. Attackers can inject SQL code via the up_cast, s_mother, and s_religion parameters to extract sensitive database information using time-based or error-based techniques.

Published Mar 24, 2026 · Updated Mar 24, 2026

High · CVSS 8.8

CVE-2019-25641: Netartmedia Vlog System Lastest SQL Injection via email Parameter

Netartmedia Vlog System contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST requests to index.php with malicious email values in the forgotten_password module to extract sensitive database information.

Published Mar 24, 2026 · Updated Mar 24, 2026

High · CVSS 8.8

CVE-2019-25647: PhreeBooks ERP 5.2.3 Remote Code Execution via Image Manager

PhreeBooks ERP 5.2.3 contains a remote code execution vulnerability in the image manager that allows authenticated attackers to upload and execute arbitrary PHP files by bypassing file extension controls. Attackers can upload malicious PHP files through the image manager endpoint and execute them to establish reverse shell connections and execute system commands.

Published Mar 24, 2026 · Updated Mar 24, 2026

Medium · CVSS 6.9

CVE-2019-25591: DNSS Domain Name Search Software 2.1.8 Denial of Service

DNSS Domain Name Search Software 2.1.8 contains a buffer overflow vulnerability in the registration code input field that allows local attackers to crash the application by submitting an excessively long string. Attackers can trigger a denial of service by pasting a malicious registration code containing 300 repeated characters into the Name/Key field via the Register menu option.

Published Mar 22, 2026 · Updated Mar 24, 2026

Medium · CVSS 6.9

CVE-2019-25544: Pidgin 2.13.0 Denial of Service via Malformed Username

Pidgin 2.13.0 contains a denial of service vulnerability that allows local attackers to crash the application by providing an excessively long username string during account creation. Attackers can input a buffer of 1000 characters in the username field and trigger a crash when joining a chat, causing the application to become unavailable.

Published Mar 21, 2026 · Updated Mar 24, 2026

Medium · CVSS 6.9

CVE-2019-25585: Deluge 1.3.15 Denial of Service via Webseeds Field

Deluge 1.3.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Webseeds field. Attackers can paste a buffer of 5000 bytes into the Webseeds field during torrent creation to trigger an application crash.

Published Mar 22, 2026 · Updated Mar 24, 2026

High · CVSS 8.7

CVE-2019-25579: phpTransformer 2016.9 Directory Traversal via jQueryFileUpload

phpTransformer 2016.9 contains a directory traversal vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the path parameter. Attackers can send requests to the jQueryFileUploadmaster server endpoint with traversal sequences ../../../../../../ to list and retrieve files outside the intended directory.

Published Mar 21, 2026 · Updated Mar 24, 2026

High · CVSS 7.1

CVE-2019-25573: Green CMS 2.x SQL Injection via cat Parameter

Green CMS 2.x contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cat parameter. Attackers can send GET requests to index.php with m=admin, c=posts, a=index parameters and inject SQL code in the cat parameter to manipulate database queries and extract sensitive information.

Published Mar 21, 2026 · Updated Mar 24, 2026

Medium · CVSS 6.9

CVE-2019-25567: Valentina Studio 9.0.5 Linux Buffer Overflow via Host Field

Valentina Studio 9.0.5 Linux contains a buffer overflow vulnerability in the Host field of the connection dialog that allows local attackers to crash the application by supplying an oversized input string. Attackers can trigger the vulnerability by pasting a crafted buffer exceeding 264 bytes into the Host field during server connection attempts, causing a denial of service.

Published Mar 21, 2026 · Updated Mar 24, 2026

Medium · CVSS 6.9

CVE-2019-25561: Lyric Maker 2.0.1.0 Denial of Service via Buffer Overflow

Lyric Maker 2.0.1.0 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Title field. Attackers can paste a 5000-byte buffer into the Title input field and save the file to trigger a denial of service condition.

Published Mar 21, 2026 · Updated Mar 24, 2026

Medium · CVSS 6.9

CVE-2019-25555: TwistedBrush Pro Studio 24.06 Script Recorder Denial of Service

TwistedBrush Pro Studio 24.06 contains a denial of service vulnerability in the Script Recorder component that allows local attackers to crash the application by supplying an excessively large buffer. Attackers can paste a malicious string containing 500,000 characters into the Description field of the Script Recorder dialog to trigger an application crash.

Published Mar 21, 2026 · Updated Mar 24, 2026

Medium · CVSS 6.9

CVE-2019-25549: VeryPDF PCL Converter 2.7 Denial of Service via PDF Security

VeryPDF PCL Converter 2.7 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long password string. Attackers can trigger a buffer overflow by entering a 3000-byte password in the PDF Security encryption fields, causing the application to crash when processing PCL files.

Published Mar 21, 2026 · Updated Mar 24, 2026

Critical · CVSS 9.8

CVE-2019-25628: Download Accelerator Plus DAP 10.0.6.0 SEH Buffer Overflow

Download Accelerator Plus DAP 10.0.6.0 contains a structured exception handler buffer overflow vulnerability that allows remote attackers to execute arbitrary code by crafting malicious URLs. Attackers can create specially crafted URLs with overflowing buffer data that overwrites SEH pointers and executes embedded shellcode when imported through the application's web page import functionality.

Published Mar 24, 2026 · Updated Mar 24, 2026

High · CVSS 8.6

CVE-2019-25634: Base64 Decoder 1.1.2 Local Buffer Overflow SEH Egghunter

Base64 Decoder 1.1.2 contains a stack-based buffer overflow vulnerability that allows local attackers to execute arbitrary code by triggering a structured exception handler (SEH) overwrite. Attackers can craft a malicious input file that overflows a buffer, overwrites the SEH chain with a POP-POP-RET gadget address, and uses an egghunter payload to locate and execute shellcode for code execution.

Published Mar 24, 2026 · Updated Mar 24, 2026

High · CVSS 8.8

CVE-2019-25640: Inout Article Base CMS Lastest SQL Injection via portalLogin.php

Inout Article Base CMS contains SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through the 'p' and 'u' parameters. Attackers can inject SQL code using XOR-based payloads in GET requests to portalLogin.php to extract sensitive database information or cause denial of service through time-based attacks.

Published Mar 24, 2026 · Updated Mar 24, 2026

Critical · CVSS 9.8

CVE-2019-25646: Tabs Mail Carrier 2.5.1 Buffer Overflow via MAIL FROM

Tabs Mail Carrier 2.5.1 contains a buffer overflow vulnerability in the MAIL FROM SMTP command that allows remote attackers to execute arbitrary code by sending a crafted MAIL FROM parameter. Attackers can connect to the SMTP service on port 25 and send a malicious MAIL FROM command with an oversized buffer to overwrite the EIP register and execute a bind shell payload.

Published Mar 24, 2026 · Updated Mar 24, 2026

High · CVSS 8.6

CVE-2019-25631: AIDA64 Business 5.99.4900 SEH Buffer Overflow via EggHunter

AIDA64 Business 5.99.4900 contains a structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by overwriting SEH pointers with malicious shellcode. Attackers can inject egg hunter shellcode through the SMTP display name field in preferences or report wizard functionality to trigger the overflow and execute code with application privileges.

Published Mar 24, 2026 · Updated Mar 24, 2026

High · CVSS 8.6

CVE-2019-25637: X-NetStat Pro 5.63 Local Buffer Overflow via EggHunter

X-NetStat Pro 5.63 contains a local buffer overflow vulnerability that allows local attackers to execute arbitrary code by overwriting the EIP register through a 264-byte buffer overflow. Attackers can inject shellcode into memory and use an egg hunter technique to locate and execute the payload when the application processes malicious input through HTTP Client or Rules functionality.

Published Mar 24, 2026 · Updated Mar 24, 2026

High · CVSS 8.8

CVE-2019-25643: eNdonesia Portal v8.7 SQL Injection via banners.php

eNdonesia Portal v8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bid parameter. Attackers can send GET requests to banners.php with crafted SQL payloads in the bid parameter to extract sensitive database information from the INFORMATION_SCHEMA tables.

Published Mar 24, 2026 · Updated Mar 24, 2026

High · CVSS 8.6

CVE-2019-25627: FlexHEX 2.71 Local Buffer Overflow via SEH Unicode

FlexHEX 2.71 contains a local buffer overflow vulnerability in the Stream Name field that allows local attackers to execute arbitrary code by triggering a structured exception handler (SEH) overflow. Attackers can craft a malicious text file with carefully aligned shellcode and SEH chain pointers, paste the contents into the Stream Name dialog, and execute arbitrary commands like calc.exe when the exception handler is triggered.

Published Mar 24, 2026 · Updated Mar 24, 2026

High · CVSS 8.6

CVE-2019-25633: AIDA64 Extreme 5.99.4900 SEH Buffer Overflow via EggHunter

AIDA64 Extreme 5.99.4900 contains a structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying malicious input through the email preferences and report wizard interfaces. Attackers can inject crafted payloads into the Display name field and Load from file parameter to trigger the overflow and execute shellcode with application privileges.

Published Mar 24, 2026 · Updated Mar 24, 2026

High · CVSS 8.8

CVE-2019-25639: Matrimony Website Script M-Plus Multiple SQL Injection

Matrimony Website Script M-Plus contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through various POST parameters. Attackers can inject malicious SQL payloads into parameters like txtGender, religion, Fage, and cboCountry across simplesearch_results.php, advsearch_results.php, specialcase_results.php, locational_results.php, and registration2.php to extract sensitive database information or execute arbitrary SQL commands.

Published Mar 24, 2026 · Updated Mar 24, 2026

Medium · CVSS 6.9

CVE-2019-25645: WinAVI iPod 3GP MP4 PSP Converter 4.4.2 Denial of Service

WinAVI iPod/3GP/MP4/PSP Converter 4.4.2 contains a denial of service vulnerability that allows local attackers to crash the application by processing malformed AVI files. Attackers can create a specially crafted AVI file with an oversized buffer and load it through the Convert to iPhone function to trigger an application crash.

Published Mar 24, 2026 · Updated Mar 24, 2026

Medium · CVSS 6.9

CVE-2019-25545: Terminal Services Manager 3.2.1 Local Buffer Overflow Denial of Service

Terminal Services Manager 3.2.1 contains a local buffer overflow vulnerability that allows attackers to crash the application by supplying an excessively long string in the computer name field. Attackers can input a 5000-byte buffer of data into the 'Computer name or IP address' field during computer addition, causing a denial of service when the server entry is accessed.

Published Mar 21, 2026 · Updated Mar 23, 2026

Medium · CVSS 6.9

CVE-2019-25551: Sandboxie 5.30 Denial of Service via Program Alerts Buffer Overflow

Sandboxie 5.30 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Program Alerts configuration field. Attackers can paste a buffer of 5000 characters into the 'Select or enter a program' field during program alert configuration to trigger an application crash.

Published Mar 21, 2026 · Updated Mar 23, 2026

Medium · CVSS 6.9

CVE-2019-25557: TwistedBrush Pro Studio 24.06 Denial of Service via srp File

TwistedBrush Pro Studio 24.06 contains a denial of service vulnerability that allows local attackers to crash the application by importing a malformed .srp script file. Attackers can create a .srp file containing an excessively large buffer and import it through the Script Player interface to trigger an application crash.

Published Mar 21, 2026 · Updated Mar 23, 2026

Medium · CVSS 6.9

CVE-2019-25563: PCHelpWareV2 1.0.0.5 Denial of Service via SC Creation

PCHelpWareV2 1.0.0.5 contains a denial of service vulnerability that allows local attackers to crash the application by supplying a malformed image file. Attackers can trigger the vulnerability through the Create SC feature by selecting a crafted BMP file with an oversized buffer, causing the application to crash.

Published Mar 21, 2026 · Updated Mar 23, 2026

Medium · CVSS 6.9

CVE-2019-25569: RealTerm Serial Terminal 2.0.0.70 SEH Overflow Crash

RealTerm Serial Terminal 2.0.0.70 contains a stack-based buffer overflow vulnerability in the Echo Port field that allows local attackers to crash the application by triggering a structured exception handler (SEH) chain corruption. Attackers can craft a malicious input string with 268 bytes of padding followed by SEH overwrite values and paste it into the Port field to cause denial of service.

Published Mar 21, 2026 · Updated Mar 23, 2026

High · CVSS 8.8

CVE-2019-25575: SimplePress CMS 1.0.7 SQL Injection via p and s Parameters

SimplePress CMS 1.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'p' and 's' parameters. Attackers can send GET requests with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details.

Published Mar 21, 2026 · Updated Mar 23, 2026

High · CVSS 8.8

CVE-2019-25581: i-doit CMDB 1.12 SQL Injection via objGroupID Parameter

i-doit CMDB 1.12 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the objGroupID parameter. Attackers can send GET requests with crafted SQL payloads in the objGroupID parameter to extract sensitive database information including usernames, database names, and version details.

Published Mar 21, 2026 · Updated Mar 23, 2026

Medium · CVSS 6.9

CVE-2019-25587: BulletProof FTP Server 2019.0.0.50 Storage-Path Denial of Service

BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the Storage-Path configuration parameter that allows local attackers to crash the application by supplying an excessively long string value. Attackers can enable the Override Storage-Path setting and paste a buffer of 500 bytes or more to trigger an application crash when saving the configuration.

Published Mar 22, 2026 · Updated Mar 23, 2026

Medium · CVSS 6.8

CVE-2019-25593: jetCast Server 2.0 Denial of Service via Log Directory

jetCast Server 2.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Log directory configuration field. Attackers can paste a buffer of 5000 characters into the Log directory input, then click Start to trigger a crash that terminates the server process.

Published Mar 22, 2026 · Updated Mar 23, 2026

Medium · CVSS 6.9

CVE-2019-25599: Backup Key Recovery 2.2.4 Denial of Service via Name Field

Backup Key Recovery 2.2.4 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can paste a buffer of 300 or more characters into the Name field during registration to trigger a crash when submitting the form.

Published Mar 22, 2026 · Updated Mar 23, 2026

High · CVSS 8.7

CVE-2019-25605: EquityPandit 1.0 Insecure Logging Information Disclosure

EquityPandit 1.0 contains an insecure logging vulnerability that allows attackers to capture sensitive user credentials by accessing developer console logs via Android Debug Bridge. Attackers can use adb logcat to extract plaintext passwords logged during the forgot password function, exposing user account credentials.

Published Mar 22, 2026 · Updated Mar 23, 2026