CVE-2019-10219

MEDIUM

Hibernate Validator < 6.0.18 - Cross-Site Scripting via SafeHtml Validator Annotation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2019-10219. PoCs published by dawetmaster, andikahilmy, shoucheng3.

AI-analyzed exploit summary This repository contains the source code for Hibernate Validator 6.1.0.Final, which is vulnerable to CVE-2019-10219. The code includes the annotation processor and related checks, but does not include an exploit PoC or detailed analysis of the vulnerability itself.

Description

A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.

Exploits (4)

nomisec WRITEUP
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2019-10219-hibernate-validator-vulnerable

This repository contains the source code for Hibernate Validator 6.1.0.Final, which is vulnerable to CVE-2019-10219. The code includes the annotation processor and related checks, but does not include an exploit PoC or detailed analysis of the vulnerability itself.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Hibernate Validator 6.1.0.Final
No auth needed
Prerequisites: Java environment · Hibernate Validator 6.1.0.Final
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec WRITEUP
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2019-10219-hibernate-validator-vulnerable

This repository contains the source code for Hibernate Validator 6.1.0.Final, which is vulnerable to CVE-2019-10219. The repository includes build configurations, contributing guidelines, and the full codebase but does not contain an explicit exploit or PoC.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Hibernate Validator 6.1.0.Final
No auth needed
Prerequisites: Access to a vulnerable Hibernate Validator instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP
by shoucheng3 · poc
https://github.com/shoucheng3/hibernate__hibernate-validator_CVE-2019-10219_6_0_18_Final_fixed

This repository contains the source code for Hibernate Validator 6.0.18.Final, which includes the fix for CVE-2019-10219. The repository provides documentation, contribution guidelines, and the patched code but does not include an exploit PoC or detailed vulnerability analysis.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Hibernate Validator 6.0.18.Final
No auth needed
Prerequisites: Access to a vulnerable Hibernate Validator instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP
by shoucheng3 · poc
https://github.com/shoucheng3/hibernate__hibernate-validator_CVE-2019-10219_6-0-17-Final

This repository contains the source code for Hibernate Validator 6.0.17.Final, which is the reference implementation of JSR-380 - Bean Validation 2.0. The repository includes documentation, build configurations, and source files but does not contain a functional exploit or proof-of-concept code for CVE-2019-10219.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Hibernate Validator 6.0.17.Final
No auth needed
Prerequisites: Access to the vulnerable Hibernate Validator version
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (19)

Core 19
Core References
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0164
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0159
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0160
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0161
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0445
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220210-0024/

Scores

CVSS v3 6.1
EPSS 0.0167
EPSS Percentile 82.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (48)
netapp/active_iq_unified_manager (3 CPE variants)
netapp/element
netapp/management_services_for_element_software_and_netapp_hci
netapp/snapcenter_plug-in
oracle/access_manager 11.1.2.3.0
oracle/access_manager 12.2.1.3.0
oracle/access_manager 12.2.1.4.0
oracle/agile_engineering_data_management 6.2.1.0
oracle/agile_plm 9.3.3
oracle/agile_plm 9.3.6
... and 38 more
Published Nov 08, 2019
Tracked Since Feb 18, 2026