{"url":"http://public2.vulnerablecode.io/api/packages/422643?format=json","purl":"pkg:apk/alpine/ffmpeg4@4.1.3-r0?arch=x86_64&distroversion=v3.20&reponame=community","type":"apk","namespace":"alpine","name":"ffmpeg4","version":"4.1.3-r0","qualifiers":{"arch":"x86_64","distroversion":"v3.20","reponame":"community"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"4.1.4-r0","latest_non_vulnerable_version":"4.4.1-r0","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67626?format=json","vulnerability_id":"VCID-1sbx-ymxy-sua5","summary":"In FFmpeg 3.2 and 4.1, a denial of service in the subtitle decoder allows attackers to hog the CPU via a crafted video file in Matroska format, because ff_htmlmarkup_to_ass in libavcodec/htmlsubtitles.c has a complex format argument to sscanf.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-9718.json","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-9718.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-9718","reference_id":"","reference_type":"","scores":[{"value":"0.01585","scoring_system":"epss","scoring_elements":"0.81938","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01585","scoring_system":"epss","scoring_elements":"0.81973","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01585","scoring_system":"epss","scoring_elements":"0.81982","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01585","scoring_system":"epss","scoring_elements":"0.81974","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01585","scoring_system":"epss","scoring_elements":"0.81967","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-9718"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15822","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15822"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999011","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999011"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11338","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11338"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12730","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12730"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9718","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9718"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1708097","reference_id":"1708097","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1708097"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926666","reference_id":"926666","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926666"},{"reference_url":"https://usn.ubuntu.com/3967-1/","reference_id":"USN-3967-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3967-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/422643?format=json","purl":"pkg:apk/alpine/ffmpeg4@4.1.3-r0?arch=x86_64&distroversion=v3.20&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/ffmpeg4@4.1.3-r0%3Farch=x86_64&distroversion=v3.20&reponame=community"}],"aliases":["CVE-2019-9718"],"risk_score":1.9,"exploitability":"0.5","weighted_severity":"3.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1sbx-ymxy-sua5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67627?format=json","vulnerability_id":"VCID-74fa-q3yc-6yac","summary":"A denial of service in the subtitle decoder in FFmpeg 3.2 and 4.1 allows attackers to hog the CPU via a crafted video file in Matroska format, because handle_open_brace in libavcodec/htmlsubtitles.c has a complex format argument to sscanf.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-9721.json","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-9721.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-9721","reference_id":"","reference_type":"","scores":[{"value":"0.00498","scoring_system":"epss","scoring_elements":"0.66226","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00498","scoring_system":"epss","scoring_elements":"0.66277","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00498","scoring_system":"epss","scoring_elements":"0.66286","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00498","scoring_system":"epss","scoring_elements":"0.66269","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00498","scoring_system":"epss","scoring_elements":"0.66256","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00498","scoring_system":"epss","scoring_elements":"0.66274","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-9721"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9721","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9721"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1708107","reference_id":"1708107","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1708107"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926666","reference_id":"926666","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926666"},{"reference_url":"https://usn.ubuntu.com/3967-1/","reference_id":"USN-3967-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3967-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/422643?format=json","purl":"pkg:apk/alpine/ffmpeg4@4.1.3-r0?arch=x86_64&distroversion=v3.20&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/ffmpeg4@4.1.3-r0%3Farch=x86_64&distroversion=v3.20&reponame=community"}],"aliases":["CVE-2019-9721"],"risk_score":1.9,"exploitability":"0.5","weighted_severity":"3.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-74fa-q3yc-6yac"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67619?format=json","vulnerability_id":"VCID-vbfr-4ks3-gkgj","summary":"The studio profile decoder in libavcodec/mpeg4videodec.c in FFmpeg 4.0 before 4.0.4 and 4.1 before 4.1.2 allows remote attackers to cause a denial of service (out-of-array access) or possibly have unspecified other impact via crafted MPEG-4 video data.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-11339","reference_id":"","reference_type":"","scores":[{"value":"0.00623","scoring_system":"epss","scoring_elements":"0.7053","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00623","scoring_system":"epss","scoring_elements":"0.70572","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00623","scoring_system":"epss","scoring_elements":"0.70582","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00623","scoring_system":"epss","scoring_elements":"0.70564","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00623","scoring_system":"epss","scoring_elements":"0.70552","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00623","scoring_system":"epss","scoring_elements":"0.70575","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-11339"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11339","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11339"},{"reference_url":"https://usn.ubuntu.com/3967-1/","reference_id":"USN-3967-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3967-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/422643?format=json","purl":"pkg:apk/alpine/ffmpeg4@4.1.3-r0?arch=x86_64&distroversion=v3.20&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/ffmpeg4@4.1.3-r0%3Farch=x86_64&distroversion=v3.20&reponame=community"}],"aliases":["CVE-2019-11339"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vbfr-4ks3-gkgj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67618?format=json","vulnerability_id":"VCID-xht5-9dks-bkhp","summary":"libavcodec/hevcdec.c in FFmpeg 3.4 and 4.1.2 mishandles detection of duplicate first slices, which allows remote attackers to cause a denial of service (NULL pointer dereference and out-of-array access) or possibly have unspecified other impact via crafted HEVC data.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-11338","reference_id":"","reference_type":"","scores":[{"value":"0.0194","scoring_system":"epss","scoring_elements":"0.83756","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0194","scoring_system":"epss","scoring_elements":"0.8378","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0194","scoring_system":"epss","scoring_elements":"0.83776","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0194","scoring_system":"epss","scoring_elements":"0.83767","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0194","scoring_system":"epss","scoring_elements":"0.83781","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-11338"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15822","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15822"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999011","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999011"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11338","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11338"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12730","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12730"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9718","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9718"},{"reference_url":"https://usn.ubuntu.com/3967-1/","reference_id":"USN-3967-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3967-1/"},{"reference_url":"https://usn.ubuntu.com/4431-1/","reference_id":"USN-4431-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4431-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/422643?format=json","purl":"pkg:apk/alpine/ffmpeg4@4.1.3-r0?arch=x86_64&distroversion=v3.20&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/ffmpeg4@4.1.3-r0%3Farch=x86_64&distroversion=v3.20&reponame=community"}],"aliases":["CVE-2019-11338"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xht5-9dks-bkhp"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/ffmpeg4@4.1.3-r0%3Farch=x86_64&distroversion=v3.20&reponame=community"}