CVE-2019-19649

CRITICAL

Zoho ManageEngine Applications Manager <13620 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-19649. PoCs published by eLeN3Re.

AI-analyzed exploit summary The repository provides a technical summary of CVE-2019-19649, a blind SQL injection vulnerability in Zoho ManageEngine Applications Manager before 13620. It describes the vulnerability in the SyncEventServlet's eventid parameter but lacks exploit code or in-depth technical analysis.

Description

Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function.

Exploits (1)

gitlab WRITEUP
by eLeN3Re · poc
https://gitlab.com/eLeN3Re/CVE-2019-19649

The repository provides a technical summary of CVE-2019-19649, a blind SQL injection vulnerability in Zoho ManageEngine Applications Manager before 13620. It describes the vulnerability in the SyncEventServlet's eventid parameter but lacks exploit code or in-depth technical analysis.

Classification
Writeup 80%
Attack Type
Sqli
Complexity
Moderate
Reliability
Theoretical
Target: Zoho ManageEngine Applications Manager before 13620
No auth needed
Prerequisites: Network access to the target application
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (2)

Core 2
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://www.manageengine.com/products/applications_manager/release-notes.html
Third Party Advisory x_refsource_misc
https://gitlab.com/eLeN3Re/CVE-2019-19649

Scores

CVSS v3 9.8
EPSS 0.0951
EPSS Percentile 94.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
zohocorp/manageengine_applications_manager < 13.7
Published Dec 11, 2019
Tracked Since Feb 18, 2026