CVE-2013-5331

Exp

Adobe Flash Player before 11.7.700.257 and 11.8.x and 11.9.x before 11.9.900.170 on Windows and Mac OS X and before 11.2.202.332 on Linux, Adobe AIR before 3.9.0.1380, Adobe AIR SDK before 3.9.0.1380, and Adobe AIR SDK & Compiler before 3.9.0.1380 allow remote attackers to execute arbitrary code via crafted .swf content that leverages an unspecified "type confusion," as exploited in the wild in December 2013.

Published: 2013-12-11 Last update: 2026-04-29 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2013-5331 is rated High Exploit Risk (86.8/100): CVSS Critical severity, with high exploitation likelihood (EPSS 87.37%, 99th percentile). 1 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2013-5331

EDB-ID Source Kind Published Link
33095 exploit_db edb 2014-04-29 Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2013-5331

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-03-04 87.60% 87.37% -0.23%
2 2026-03-01 87.37% 87.60% +0.23%
3 2026-02-04 87.37%

Full EPSS history (40 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2013-5331

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
9.3 2.0 HIGH
AV:N/AC:M/Au:N/C:C/I:C/A:C Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:C)
Complete confidentiality impact.
Integrity impact (I:C)
Complete integrity impact.
Availability impact (A:C)
Complete availability impact.
 8.6 10.0 [email protected]

Weakness enumeration for CVE-2013-5331

OS Trackers for CVE-2013-5331

vendor priority summary link
gentoo normal CVE-2013-5331: 1 GLSA(s) (201402-06), 1 atom(s) (www-plugins/adobe-flash); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2013-5331
redhat critical https://access.redhat.com/security/cve/CVE-2013-5331
ubuntu medium CVE-2013-5331 medium priority: Ubuntu including 2 source packages (adobe-flashplugin, flashplugin-nonfree), 12 status rows across 6 suites (lucid, precise, quantal, raring, saucy, upstream): released 10, ignored 2. https://ubuntu.com/security/CVE-2013-5331

NVD evaluator notes for CVE-2013-5331

Comment: Per: http://helpx.adobe.com/security/products/flash-player/apsb13-28.html "Adobe is aware of reports that an exploit designed to trick the user into opening a Microsoft Word document with malicious Flash (.swf) content exists for CVE-2013-5331."

Affected software / configurations for CVE-2013-5331

Vendor Product Version Raw CPE
adobe flash_player >= 11.0, < 11.7.700.257 cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
adobe flash_player >= 11.8, < 11.8.800.175 cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
adobe flash_player >= 11.9, < 11.9.900.700 cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
adobe flash_player >= 11.0, < 11.2.202.332 cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
adobe air < 3.9.0.1380 cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*
adobe air_sdk < 3.9.0.1380 cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*

References for CVE-2013-5331

cvelogic Threat Intelligence