Search for vulnerabilities
Vulnerability details: VCID-fw3t-sb1g-7ke4
Vulnerability ID VCID-fw3t-sb1g-7ke4
Aliases CVE-2019-6340
GHSA-3gx6-h57h-rm27
Summary Drupal Core Remote Code Execution Vulnerability Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)
Status Published
Exploitability 2.0
Weighted Severity 8.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-502 Deserialization of Untrusted Data
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.94419 https://api.first.org/data/v1/epss?cve=CVE-2019-6340
epss 0.94419 https://api.first.org/data/v1/epss?cve=CVE-2019-6340
epss 0.94419 https://api.first.org/data/v1/epss?cve=CVE-2019-6340
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-3gx6-h57h-rm27
cvssv3.1 8.1 https://github.com/drupal/drupal
generic_textual HIGH https://github.com/drupal/drupal
cvssv3.1 8.1 https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6340.yaml
generic_textual HIGH https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6340.yaml
cvssv3.1 8.1 https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6340.yaml
generic_textual HIGH https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6340.yaml
cvssv2 6.8 https://nvd.nist.gov/vuln/detail/CVE-2019-6340
cvssv3.1 8.1 https://nvd.nist.gov/vuln/detail/CVE-2019-6340
cvssv3.1 8.1 https://nvd.nist.gov/vuln/detail/CVE-2019-6340
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2019-6340
cvssv3.1 8.1 https://www.drupal.org/sa-core-2019-003
cvssv3.1 8.1 https://www.drupal.org/sa-core-2019-003
generic_textual HIGH https://www.drupal.org/sa-core-2019-003
ssvc Attend https://www.drupal.org/sa-core-2019-003
cvssv3.1 8.1 https://www.exploit-db.com/exploits/46452
generic_textual HIGH https://www.exploit-db.com/exploits/46452
cvssv3.1 8.1 https://www.exploit-db.com/exploits/46452/
ssvc Attend https://www.exploit-db.com/exploits/46452/
cvssv3.1 8.1 https://www.exploit-db.com/exploits/46459
generic_textual HIGH https://www.exploit-db.com/exploits/46459
cvssv3.1 8.1 https://www.exploit-db.com/exploits/46459/
ssvc Attend https://www.exploit-db.com/exploits/46459/
cvssv3.1 8.1 https://www.exploit-db.com/exploits/46510
generic_textual HIGH https://www.exploit-db.com/exploits/46510
cvssv3.1 8.1 https://www.exploit-db.com/exploits/46510/
ssvc Attend https://www.exploit-db.com/exploits/46510/
cvssv3.1 8.1 https://www.synology.com/security/advisory/Synology_SA_19_09
cvssv3.1 8.1 https://www.synology.com/security/advisory/Synology_SA_19_09
generic_textual HIGH https://www.synology.com/security/advisory/Synology_SA_19_09
ssvc Attend https://www.synology.com/security/advisory/Synology_SA_19_09
cvssv3.1 8.1 http://www.securityfocus.com/bid/107106
cvssv3.1 8.1 http://www.securityfocus.com/bid/107106
generic_textual HIGH http://www.securityfocus.com/bid/107106
ssvc Attend http://www.securityfocus.com/bid/107106
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2019-6340
https://github.com/drupal/drupal
https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6340.yaml
https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6340.yaml
https://nvd.nist.gov/vuln/detail/CVE-2019-6340
https://www.drupal.org/sa-core-2019-003
https://www.drupal.org/SA-CORE-2019-003
https://www.exploit-db.com/exploits/46452
https://www.exploit-db.com/exploits/46459
https://www.exploit-db.com/exploits/46510
https://www.synology.com/security/advisory/Synology_SA_19_09
http://www.securityfocus.com/bid/107106
46452 https://www.exploit-db.com/exploits/46452/
46459 https://www.exploit-db.com/exploits/46459/
46510 https://www.exploit-db.com/exploits/46510/
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
CVE-2019-6340 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/remote/46510.rb
CVE-2019-6340 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/46452.txt
CVE-2019-6340 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/46459.py
CVE-2019-6340 Exploit https://raw.githubusercontent.com/rapid7/metasploit-framework/6ff18828c0273b7170469939a49e4b063d561799/modules/exploits/unix/webapp/drupal_restws_unserialize.rb
CVE-2019-6340 Exploit https://www.ambionics.io/blog/drupal8-rce
GHSA-3gx6-h57h-rm27 https://github.com/advisories/GHSA-3gx6-h57h-rm27
Data source Metasploit
Description This module exploits a PHP unserialize() vulnerability in Drupal RESTful Web Services by sending a crafted request to the /node REST endpoint. As per SA-CORE-2019-003, the initial remediation was to disable POST, PATCH, and PUT, but Ambionics discovered that GET was also vulnerable (albeit cached). Cached nodes can be exploited only once. Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to notify users of this alternate vector. Drupal < 8.5.11 and < 8.6.10 are vulnerable.
Note 
AKA:
  - SA-CORE-2019-003
Stability:
  - crash-safe
SideEffects:
  - ioc-in-logs
Reliability:
  - unreliable-session
Ransomware campaign use Unknown
Source publication date Feb. 20, 2019
Platform PHP,Unix
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/unix/webapp/drupal_restws_unserialize.rb
Data source Exploit-DB
Date added Feb. 25, 2019
Description Drupal < 8.6.9 - REST Module Remote Code Execution
Ransomware campaign use Unknown
Source publication date Feb. 25, 2019
Exploit type webapps
Platform php
Source update date Feb. 25, 2019
Data source KEV
Date added March 25, 2022
Description In Drupal Core, some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.
Required action Apply updates per vendor instructions.
Due date April 15, 2022
Note 
https://nvd.nist.gov/vuln/detail/CVE-2019-6340
Ransomware campaign use Unknown
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/drupal/drupal
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6340.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6340.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2019-6340
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2019-6340
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2019-6340
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.drupal.org/sa-core-2019-003
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.drupal.org/sa-core-2019-003
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:47Z/ Found at https://www.drupal.org/sa-core-2019-003
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.exploit-db.com/exploits/46452
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.exploit-db.com/exploits/46452/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:47Z/ Found at https://www.exploit-db.com/exploits/46452/
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.exploit-db.com/exploits/46459
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.exploit-db.com/exploits/46459/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:47Z/ Found at https://www.exploit-db.com/exploits/46459/
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.exploit-db.com/exploits/46510
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.exploit-db.com/exploits/46510/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:47Z/ Found at https://www.exploit-db.com/exploits/46510/
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.synology.com/security/advisory/Synology_SA_19_09
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.synology.com/security/advisory/Synology_SA_19_09
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:47Z/ Found at https://www.synology.com/security/advisory/Synology_SA_19_09
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.securityfocus.com/bid/107106
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.securityfocus.com/bid/107106
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:47Z/ Found at http://www.securityfocus.com/bid/107106
Exploit Prediction Scoring System (EPSS)
Percentile 0.99978
EPSS Score 0.94419
Published At Sept. 25, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T09:14:32.056787+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3gx6-h57h-rm27/GHSA-3gx6-h57h-rm27.json 37.0.0