Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ax8a-z9s4-e3dk
Vulnerability ID VCID-ax8a-z9s4-e3dk
Aliases CVE-2019-9794
Summary A vulnerability was discovered where specific command line arguments are not properly discarded during Firefox invocation as a shell handler for URLs. This could be used to retrieve and execute files whose location is supplied through these command line arguments if Firefox is configured as the default URI handler for a given URI scheme in third party applications and these applications insufficiently sanitize URL data. *Note: This issue only affects Windows operating systems. Other operating systems are unaffected.*
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
System Score Found at
cvssv3 9.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-9794.json
epss 0.00419 https://api.first.org/data/v1/epss?cve=CVE-2019-9794
epss 0.00419 https://api.first.org/data/v1/epss?cve=CVE-2019-9794
epss 0.00419 https://api.first.org/data/v1/epss?cve=CVE-2019-9794
epss 0.00419 https://api.first.org/data/v1/epss?cve=CVE-2019-9794
epss 0.00419 https://api.first.org/data/v1/epss?cve=CVE-2019-9794
epss 0.00419 https://api.first.org/data/v1/epss?cve=CVE-2019-9794
epss 0.00419 https://api.first.org/data/v1/epss?cve=CVE-2019-9794
epss 0.00419 https://api.first.org/data/v1/epss?cve=CVE-2019-9794
epss 0.00419 https://api.first.org/data/v1/epss?cve=CVE-2019-9794
epss 0.00419 https://api.first.org/data/v1/epss?cve=CVE-2019-9794
epss 0.00419 https://api.first.org/data/v1/epss?cve=CVE-2019-9794
cvssv3 5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
generic_textual critical https://www.mozilla.org/en-US/security/advisories/mfsa2019-07
generic_textual critical https://www.mozilla.org/en-US/security/advisories/mfsa2019-08
generic_textual critical https://www.mozilla.org/en-US/security/advisories/mfsa2019-11
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-9794.json
https://api.first.org/data/v1/epss?cve=CVE-2019-9794
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1690679 https://bugzilla.redhat.com/show_bug.cgi?id=1690679
mfsa2019-07 https://www.mozilla.org/en-US/security/advisories/mfsa2019-07
mfsa2019-08 https://www.mozilla.org/en-US/security/advisories/mfsa2019-08
mfsa2019-11 https://www.mozilla.org/en-US/security/advisories/mfsa2019-11
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-9794.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.6173
EPSS Score 0.00419
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T13:17:18.114321+00:00 Mozilla Importer Import https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2019/mfsa2019-07.yml 38.0.0