{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2019-25689", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-05T15:31:44.950Z", "datePublished": "2026-04-12T12:28:45.236Z", "dateUpdated": "2026-04-12T12:28:45.236Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-12T12:28:45.236Z"}, "title": "HTML5 Video Player 1.2.5 Local Buffer Overflow Non-SEH", "descriptions": [{"lang": "en", "value": "HTML5 Video Player 1.2.5 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying an oversized key code string. Attackers can craft a malicious payload exceeding 997 bytes and paste it into the KEY CODE field in the Help Register dialog to trigger code execution and spawn a calculator process."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Out-of-bounds Write", "cweId": "CWE-787", "type": "CWE"}]}], "affected": [{"vendor": "Html5Videoplayer", "product": "HTML5 Video Player", "versions": [{"version": "1.2.5", "status": "affected"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:bplugins:html5_video_player:1.2.5:*:*:*:*:*:*:*"}]}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 8.6, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/46279", "name": "ExploitDB-46279", "tags": ["exploit"]}, {"url": "http://www.html5videoplayer.net/download.html", "name": "Official Product Homepage", "tags": ["product"]}, {"name": "VulnCheck Advisory: HTML5 Video Player 1.2.5 Local Buffer Overflow Non-SEH", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/html5-video-player-local-buffer-overflow-non-seh"}], "credits": [{"lang": "en", "value": "Dino Covotsos - Telspace Systems", "type": "finder"}], "x_generator": {"engine": "vulncheck"}, "datePublic": "2019-01-29T00:00:00.000Z"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "HTML5 Video Player 1.2.5 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying an oversized key code string. Attackers can craft a malicious payload exceeding 997 bytes and paste it into the KEY CODE field in the Help Register dialog to trigger code execution and spawn a calculator process."}], "id": "CVE-2019-25689", "lastModified": "2026-04-12T13:16:31.923", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-12T13:16:31.923", "references": [{"source": "disclosure@vulncheck.com", "url": "http://www.html5videoplayer.net/download.html"}, {"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/46279"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/html5-video-player-local-buffer-overflow-non-seh"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "html5_video_player", "vendor": "bplugins"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "HTML5 Video Player", "source": "cna", "vendor": "Html5Videoplayer"}, "product": "html5_video_player", "vendor": "html5videoplayer"}], "analysis": {"en": {"generated_at": "2026-04-12T13:24:59.342439+00:00", "value": {"mitigation_remediation": ["Update HTML5 Video Player to the latest available version from the vendor\u2019s download page", "Close the application to prevent accidental use of the vulnerable dialog", "Verify that no pending updates are available by checking the vendor\u2019s website regularly", "If an update is not immediately available, restrict user access to the KEY CODE field by disabling or removing the Help Register dialog"], "summary": {"action": "Immediate Patch", "impact": "Local Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerable product is the HTML5 Video Player from the bplugins vendor, version 1.2.5. Any installation of this specific version that allows the Help Register dialog to accept user input is affected.", "description_and_impact": "A vulnerability in HTML5 Video Player 1.2.5 occurs when the application reads a key code string that exceeds the internal buffer size. The overflow enables an attacker to inject malicious code, which can be executed in the context of the running process, as demonstrated by spawning a calculator process. The weakness is a classic buffer overflow (CWE\u2011787) and directly compromises the integrity and confidentiality of the system local to the user who opens the dialog.", "risk_and_exploitability": "The CVSS score of 8.6 indicates a high severity, and the vulnerability is local in nature, requiring user interaction to activate the exploit payload. No EPSS score is published, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited documented exploitation but still a significant risk due to the high base score and ease of tricking a user to enter the oversized string."}}}}, "created": "2026-04-13T12:41:22.371626+00:00", "updated": "2026-04-13T12:56:01.168870+00:00", "vendors": ["bplugins", "bplugins$PRODUCT$html5_video_player", "html5videoplayer", "html5videoplayer$PRODUCT$html5_video_player"]}