CVE-2019-5678

HIGH

NVIDIA GeForce Experience < 3.19 - Code Execution via Web Helper Input Validation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-5678. PoCs published by Rhino Security Labs.

AI-analyzed exploit summary This HTML-based PoC exploits CVE-2019-5678, an OS command injection vulnerability in Nvidia GeForce Experience. It sends a crafted POST request to the local GFE server with a malicious payload (e.g., 'calc.exe') via a hidden input field, leveraging the 'X_LOCAL_SECURITY_COOKIE' header for authentication.

Description

NVIDIA GeForce Experience versions prior to 3.19 contains a vulnerability in the Web Helper component, in which an attacker with local system access can craft input that may not be properly validated. Such an attack may lead to code execution, denial of service or information disclosure.

Exploits (1)

exploitdb WORKING POC
by Rhino Security Labs · htmllocalwindows
https://www.exploit-db.com/exploits/46972

This HTML-based PoC exploits CVE-2019-5678, an OS command injection vulnerability in Nvidia GeForce Experience. It sends a crafted POST request to the local GFE server with a malicious payload (e.g., 'calc.exe') via a hidden input field, leveraging the 'X_LOCAL_SECURITY_COOKIE' header for authentication.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Nvidia GeForce Experience (versions prior to patch)
Auth required
Prerequisites: Victim must have Nvidia GeForce Experience installed and running · Attacker must trick victim into opening the HTML file in a browser · Local GFE server must be accessible on the default port
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Patch, Vendor Advisory x_refsource_confirm
https://nvidia.custhelp.com/app/answers/detail/a_id/4806

Scores

CVSS v3 7.8
EPSS 0.0036
EPSS Percentile 58.6%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-20
Status published
Products (1)
nvidia/geforce_experience < 3.19
Published May 31, 2019
Tracked Since Feb 18, 2026