{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2019-25592", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-22T12:53:14.849Z", "datePublished": "2026-03-22T13:38:30.411Z", "dateUpdated": "2026-03-23T16:04:17.974Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-22T13:38:30.411Z"}, "datePublic": "2019-05-09T00:00:00.000Z", "title": "PHPRunner 10.1 Denial of Service via Dashboard Name Field", "descriptions": [{"lang": "en", "value": "PHPRunner 10.1 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the dashboard name field. Attackers can paste a buffer of 10000 characters into the Name field during dashboard creation to trigger an application crash."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Handling of Overlap Between Protected Memory Ranges", "cweId": "CWE-1260", "type": "CWE"}]}], "affected": [{"vendor": "Xlinesoft", "product": "PHPRunner", "versions": [{"version": "10.1", "status": "affected"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xlinesoft:phprunner:10.1:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:xlinesoft:phprunner:4.2:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:xlinesoft:phprunner:-:*:*:*:*:*:*:*"}]}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 6.9, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/46824", "name": "ExploitDB-46824", "tags": ["exploit"]}, {"url": "https://xlinesoft.com/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://xlinesoft.com/phprunner/download.htm", "name": "Product Reference", "tags": ["product"]}, {"name": "VulnCheck Advisory: PHPRunner 10.1 Denial of Service via Dashboard Name Field", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/phprunner-denial-of-service-via-dashboard-name-field"}], "credits": [{"lang": "en", "value": "Victor Mondrag\u00f3n", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T16:03:58.187582Z", "id": "CVE-2019-25592", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:04:17.974Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "PHPRunner 10.1 Denial of Service via Dashboard Name Field", "credits": [{"lang": "en", "type": "finder", "value": "Victor Mondrag\u00f3n"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Xlinesoft", "product": "PHPRunner", "versions": [{"status": "affected", "version": "10.1"}]}], "datePublic": "2019-05-09T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/46824", "name": "ExploitDB-46824", "tags": ["exploit"]}, {"url": "https://xlinesoft.com/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://xlinesoft.com/phprunner/download.htm", "name": "Product Reference", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/phprunner-denial-of-service-via-dashboard-name-field", "name": "VulnCheck Advisory: PHPRunner 10.1 Denial of Service via Dashboard Name Field", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "PHPRunner 10.1 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the dashboard name field. Attackers can paste a buffer of 10000 characters into the Name field during dashboard creation to trigger an application crash."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1260", "description": "Improper Handling of Overlap Between Protected Memory Ranges"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xlinesoft:phprunner:10.1:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:xlinesoft:phprunner:4.2:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:xlinesoft:phprunner:-:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-22T13:38:30.411Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2019-25592", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T16:03:58.187582Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-23T16:04:08.792Z"}}]}, "cveMetadata": {"cveId": "CVE-2019-25592", "state": "PUBLISHED", "dateUpdated": "2026-03-22T13:38:30.411Z", "dateReserved": "2026-03-22T12:53:14.849Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-22T13:38:30.411Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "PHPRunner 10.1 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the dashboard name field. Attackers can paste a buffer of 10000 characters into the Name field during dashboard creation to trigger an application crash."}, {"lang": "es", "value": "PHPRunner 10.1 contiene una vulnerabilidad de denegaci\u00f3n de servicio que permite a atacantes locales bloquear la aplicaci\u00f3n al proporcionar una cadena excesivamente larga en el campo de nombre del panel de control. Los atacantes pueden pegar un b\u00fafer de 10000 caracteres en el campo Nombre durante la creaci\u00f3n del panel de control para provocar un bloqueo de la aplicaci\u00f3n."}], "id": "CVE-2019-25592", "lastModified": "2026-04-16T16:19:50.757", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-22T14:16:25.830", "references": [{"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/46824"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/phprunner-denial-of-service-via-dashboard-name-field"}, {"source": "disclosure@vulncheck.com", "url": "https://xlinesoft.com/"}, {"source": "disclosure@vulncheck.com", "url": "https://xlinesoft.com/phprunner/download.htm"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1260"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "10.1"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "PHPRunner", "source": "cna", "vendor": "Xlinesoft"}, "product": "phprunner", "vendor": "xlinesoft"}], "analysis": {"en": {"generated_at": "2026-03-22T14:44:15.796918+00:00", "value": {"mitigation_remediation": ["Check the vendor's website for a patch or newer PHPRunner version that fixes the input length validation; apply the update as soon as possible.", "If a patch is unavailable, implement custom input validation to restrict the dashboard name length to a safe value, such as 255 characters, to prevent the crash."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Xlinesoft PHPRunner 10.1. It may also impact earlier releases such as 4.2 since the same input field is present, but only 10.1 is confirmed. The issue is limited to systems running the affected version of PHPRunner and requires a locally authenticated user with UI access to create dashboards.", "description_and_impact": "A local attacker can cause PHPRunner to crash by submitting an excessively long string in the dashboard name field during dashboard creation. The resulting application crash leads to interruption of service and loss of availability for any users relying on that instance.", "risk_and_exploitability": "The CVSS score of 6.9 indicates moderate severity, with no publicly available exploitation code (EPSS not available) and not listed in the CISA KEV catalog. The attack requires local access to the web interface and is limited to user-initiated input. While the exploit is unlikely to allow remote code execution, it can repeatedly render the application unusable, creating a practical denial of service risk for businesses deploying PHPRunner."}}}}, "created": "2026-03-23T09:46:26.362234+00:00", "updated": "2026-03-25T14:46:24.651222+00:00", "vendors": ["xlinesoft", "xlinesoft$PRODUCT$phprunner"]}