CVE-2018-19499

HIGH

Vanilla <2.5.5, <2.6 - RCE

Title source: llm

Description

Vanilla before 2.5.5 and 2.6.x before 2.6.2 allows Remote Code Execution because authenticated administrators have a reachable call to unserialize in the Gdn_Format class.

References (1)

[Third Party Advisory] https://hackerone.com/reports/407552

Scores

CVSS v3 7.2

EPSS 0.0231

EPSS Percentile 84.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (1)

vanillaforums/vanilla < 2.5.5

Timeline

Published Nov 23, 2018

Tracked Since Feb 18, 2026