CVE-2018-19499
HIGHVanilla < 2.5.5 and 2.6.x < 2.6.2 - Authenticated Remote Code Execution via Unserialize in Gdn_Format
Title source: llmDescription
Vanilla before 2.5.5 and 2.6.x before 2.6.2 allows Remote Code Execution because authenticated administrators have a reachable call to unserialize in the Gdn_Format class.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://hackerone.com/reports/407552
Scores
CVSS v3
7.2
EPSS
0.0202
EPSS Percentile
78.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (1)
vanillaforums/vanilla
< 2.5.5
Published
Nov 23, 2018
Tracked Since
Feb 18, 2026