VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-9dp4-8238-63a7

Essentials
Severities (14)
References (7)
Severity details (11)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-9dp4-8238-63a7
Aliases	CVE-2019-1051 GHSA-fxrx-5j36-pwg5
Summary	Chakra Scripting Engine RCE via Out-of-bounds write A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based). The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge (HTML-based) and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-787	Out-of-bounds Write
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.13818	https://api.first.org/data/v1/epss?cve=CVE-2019-1051
epss	0.13818	https://api.first.org/data/v1/epss?cve=CVE-2019-1051
epss	0.17679	https://api.first.org/data/v1/epss?cve=CVE-2019-1051
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-fxrx-5j36-pwg5
cvssv3.1	7.5	https://github.com/chakra-core/ChakraCore/commit/3d6226cc2d1077537220361c82e34a362c6c76ee
generic_textual	HIGH	https://github.com/chakra-core/ChakraCore/commit/3d6226cc2d1077537220361c82e34a362c6c76ee
cvssv3.1	7.5	https://github.com/chakra-core/ChakraCore/commit/846e508ea0862846e89ef41e87ecfb73a75ac130
generic_textual	HIGH	https://github.com/chakra-core/ChakraCore/commit/846e508ea0862846e89ef41e87ecfb73a75ac130
cvssv3.1	7.5	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-1051
generic_textual	HIGH	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-1051
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2019-1051
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2019-1051
cvssv3.1	7.5	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1051
generic_textual	HIGH	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1051

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2019-1051
		https://github.com/chakra-core/ChakraCore/commit/3d6226cc2d1077537220361c82e34a362c6c76ee
		https://github.com/chakra-core/ChakraCore/commit/846e508ea0862846e89ef41e87ecfb73a75ac130
		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-1051
		https://nvd.nist.gov/vuln/detail/CVE-2019-1051
		https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1051
GHSA-fxrx-5j36-pwg5		https://github.com/advisories/GHSA-fxrx-5j36-pwg5

No exploits are available.

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/chakra-core/ChakraCore/commit/3d6226cc2d1077537220361c82e34a362c6c76ee

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/chakra-core/ChakraCore/commit/846e508ea0862846e89ef41e87ecfb73a75ac130

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-1051

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2019-1051

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1051

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.94422
EPSS Score	0.13818
Published At	June 4, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-04T18:04:56.842273+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fxrx-5j36-pwg5/GHSA-fxrx-5j36-pwg5.json	38.6.0