CVE-2019-16759

CRITICALNVD 9.89.8—Trending — 3 sources updated this weekExploited in the wild

9.8

vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

CVSS v3: 9.8
EG Score: 9.8(medium)
EPSS: 100.0%
KEV: ⚠ Exploited

Published

September 24, 2019

Last Modified

November 7, 2025

Advisory Details (8)

Auto-updated Jun 1, 2026

⚠️ Active exploitation confirmed. Patch available.

generic Patch Available🔴 Active Exploitation

This vBulletin vBug is vBad: Zero-day exploit lets miscreants hijack vulnerable web forums

https://www.theregister.co.uk/2019/09/24/vbulletin_vbug_zeroday/

generic

Full Disclosure: vBulletin 5.x 0day pre-auth RCE exploit

https://seclists.org/fulldisclosure/2019/Sep/31

generic🔴 Active Exploitation

High-severity vulnerability in vBulletin is being actively exploited - Ars Technica

https://arstechnica.com/information-technology/2019/09/public-exploit-code-spawns-mass-attacks-against-high-severity-vbulletin-bug/

generic

Full Disclosure: Remote Code Execution 0day in vBulletin 5.x

http://seclists.org/fulldisclosure/2020/Aug/5

generic

Packet Storm

http://packetstormsecurity.com/files/158866/vBulletin-5.x-Remote-Code-Execution.html

generic

Packet Storm

http://packetstormsecurity.com/files/158830/vBulletin-5.x-Remote-Code-Execution.html

generic

Packet Storm

http://packetstormsecurity.com/files/158829/vBulletin-5.x-Remote-Code-Execution.html

generic

Packet Storm

http://packetstormsecurity.com/files/155633/vBulletin-5.5.4-Remote-Command-Execution.html

Weakness Classification(2)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 20× in last 7d / 20× in last 30d)

Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.

2026-06-06 15:24 UTCEG score recompute
2026-06-06 15:24 UTCGHSA enrichment
2026-06-06 11:26 UTCEG score recompute
2026-06-06 11:26 UTCGHSA enrichment
2026-06-06 07:29 UTCEG score recompute
2026-06-06 07:29 UTCGHSA enrichment
2026-06-06 03:31 UTCEG score recompute
2026-06-06 03:31 UTCGHSA enrichment
2026-06-05 23:33 UTCEG score recompute
2026-06-05 23:33 UTCGHSA enrichment
2026-06-05 22:43 UTCkev_newly_listed
2026-06-05 19:35 UTCEG score recompute
2026-06-05 19:35 UTCGHSA enrichment
2026-06-05 15:37 UTCEG score recompute
2026-06-05 15:37 UTCGHSA enrichment
2026-06-05 11:39 UTCEG score recompute
2026-06-05 11:39 UTCGHSA enrichment
2026-06-05 07:41 UTCEG score recompute
2026-06-05 07:40 UTCGHSA enrichment
2026-06-05 03:43 UTCEG score recompute

Publicly available exploits

(10 references)

Working exploit code is in the public domain (1 Metasploit module) (7 GitHub PoCs) (2 Exploit-DB entries). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.

GitHub PoC0xdims/CVE-2019-16759
First seen Aug 16, 2020
This tools will extracts and dumps Email + SMTP from vBulletin database server
Open source ↗
GitHub PoCandripwn/pwn-vbulletin
First seen Dec 29, 2019
Identify vulnerable (RCE) vBulletin 5.0.0 - 5.5.4 instances using Shodan (CVE-2019-16759)
Open source ↗
GitHub PoCFarjaalAhmad/CVE-2019-16759
First seen Oct 12, 2019
Interactive-Like Command-Line Console for CVE-2019-16759
Open source ↗
GitHub PoCtheLSA/vbulletin5-rce
First seen Oct 2, 2019
CVE-2019-16759 vbulletin 5.0.0 till 5.5.4 pre-auth rce
Open source ↗
Exploit-DBEDB-47437
First seen Sep 30, 2019
vBulletin 5.x - Remote Command Execution (Metasploit)
Open source ↗
GitHub PoCr00tpgp/http-vuln-CVE-2019-16759
First seen Sep 26, 2019
Nmap NSE Script to Detect vBulletin pre-auth 5.x RCE CVE-2019-16759
Open source ↗
GitHub PoCjas502n/CVE-2019-16759
First seen Sep 26, 2019
vBulletin 5.x 未授权远程代码执行漏洞
Open source ↗
GitHub PoCM0sterHxck/CVE-2019-16759-Vbulletin-rce-exploit
First seen Sep 25, 2019
Vbulletin rce exploit CVE-2019-16759
Open source ↗
Exploit-DBEDB-47447
First seen Sep 23, 2019
vBulletin 5.0 < 5.5.4 - 'widget_php ' Unauthenticated Remote Code Execution
Open source ↗
Metasploitexploit/multi/http/vbulletin_widgetconfig_rce✓ verified
First seen Sep 23, 2019
vBulletin widgetConfig RCE
Open source ↗

Frequently asked(6)

What is CVE-2019-16759?

CVE-2019-16759 is a critical vulnerability published on September 24, 2019. vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

When was CVE-2019-16759 disclosed?

CVE-2019-16759 was first published in the National Vulnerability Database on September 24, 2019, with the most recent update on November 7, 2025. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2019-16759 actively exploited?

Yes. CISA added CVE-2019-16759 to the Known Exploited Vulnerabilities catalog on November 3, 2021, affecting vBulletin vBulletin. KEV listing indicates confirmed exploitation in the wild; this CVE warrants immediate patching attention.

What is the CVSS score of CVE-2019-16759?

CVE-2019-16759 has a CVSS v3 base score of 9.8 (NVD).

Which products are affected by CVE-2019-16759?

CVE-2019-16759 affects vBulletin vBulletin. The full affected-products list, including version ranges and fixed versions, is shown in the Affected Packages section of this page.

How do I remediate CVE-2019-16759?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2019-16759, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2019-16759

Explore →

Is Your Infrastructure Affected by CVE-2019-16759?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2019-16759

CRITICALNVD 9.89.8—Trending — 3 sources updated this weekExploited in the wild

Frequently asked(6)

What is CVE-2019-16759?

When was CVE-2019-16759 disclosed?

Is CVE-2019-16759 actively exploited?

What is the CVSS score of CVE-2019-16759?

CVE-2019-16759 has a CVSS v3 base score of 9.8 (NVD).

Which products are affected by CVE-2019-16759?

CVE-2019-16759 affects vBulletin vBulletin. The full affected-products list, including version ranges and fixed versions, is shown in the Affected Packages section of this page.

How do I remediate CVE-2019-16759?

CVE-2019-16759

📅 Published

🔄 Last Modified

📋 Advisory Details (8)

This vBulletin vBug is vBad: Zero-day exploit lets miscreants hijack vulnerable web forums

Full Disclosure: vBulletin 5.x 0day pre-auth RCE exploit

High-severity vulnerability in vBulletin is being actively exploited - Ars Technica

Full Disclosure: Remote Code Execution 0day in vBulletin 5.x

Packet Storm

Packet Storm

Packet Storm

Packet Storm

Weakness Classification(2)

Data Freshness Timeline

Publicly available exploits

❓ Frequently asked(6)

Dependency Blast Radius

Is Your Infrastructure Affected by CVE-2019-16759?

CVE-2019-16759

📅 Published

🔄 Last Modified

📋 Advisory Details (8)

This vBulletin vBug is vBad: Zero-day exploit lets miscreants hijack vulnerable web forums

Full Disclosure: vBulletin 5.x 0day pre-auth RCE exploit

High-severity vulnerability in vBulletin is being actively exploited - Ars Technica

Full Disclosure: Remote Code Execution 0day in vBulletin 5.x

Packet Storm

Packet Storm

Packet Storm

Packet Storm

Weakness Classification(2)

Data Freshness Timeline

Publicly available exploits

❓ Frequently asked(6)

Dependency Blast Radius

Is Your Infrastructure Affected by CVE-2019-16759?

🔗 Related CVEs(same CWE)

Same CWE

Published

Last Modified

Advisory Details (8)

Frequently asked(6)

Published

Last Modified

Advisory Details (8)

Frequently asked(6)

Related CVEs(same CWE)