Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-mfsr-c5z2-hfh4
Vulnerability ID VCID-mfsr-c5z2-hfh4
Aliases CVE-2019-13638
Summary GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.
Status Published
Exploitability 0.5
Weighted Severity 7.0
Risk 3.5
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
System Score Found at
cvssv3 7.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-13638.json
epss 0.0205 https://api.first.org/data/v1/epss?cve=CVE-2019-13638
epss 0.0205 https://api.first.org/data/v1/epss?cve=CVE-2019-13638
epss 0.0205 https://api.first.org/data/v1/epss?cve=CVE-2019-13638
cvssv3 7.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-13638.json
https://api.first.org/data/v1/epss?cve=CVE-2019-13638
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20969
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13636
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13638
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1733916 https://bugzilla.redhat.com/show_bug.cgi?id=1733916
GLSA-201908-22 https://security.gentoo.org/glsa/201908-22
RHSA-2019:2798 https://access.redhat.com/errata/RHSA-2019:2798
RHSA-2019:2964 https://access.redhat.com/errata/RHSA-2019:2964
RHSA-2019:3757 https://access.redhat.com/errata/RHSA-2019:3757
RHSA-2019:3758 https://access.redhat.com/errata/RHSA-2019:3758
RHSA-2019:4061 https://access.redhat.com/errata/RHSA-2019:4061
USN-4071-1 https://usn.ubuntu.com/4071-1/
USN-4071-2 https://usn.ubuntu.com/4071-2/
No exploits are available.
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-13638.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.84188
EPSS Score 0.0205
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T17:06:36.866961+00:00 Debian Importer Import https://security-tracker.debian.org/tracker/data/json 38.6.0