GHSA-6rmq-x2hv-vxpp · Severity: high · Ecosystem: composer — Drupal core third-party PEAR Archive_Tar library is vulnerable to Deserialization of Untrusted Data
In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details
Conclusion & alert: CVE-2019-6338 is rated Moderate Risk (61.5/100): CVSS High severity, with medium exploitation likelihood (EPSS 2.27%). Core evidence: EPSS rose +1.23% over the last day, indicating growing attacker interest. Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 1.05% | 2.27% | +1.23% |
| 2 | 2026-03-04 | 1.09% | 1.05% | -0.04% |
| 3 | 2026-03-01 | — | 1.09% | — |
Full EPSS history (36 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.0 | 3.0 | HIGH |
|
2.1 | 5.9 | [email protected] |
| 6.0 | 2.0 | MEDIUM |
|
6.8 | 6.4 | [email protected] |
GHSA-6rmq-x2hv-vxpp · Severity: high · Ecosystem: composer — Drupal core third-party PEAR Archive_Tar library is vulnerable to Deserialization of Untrusted Data
| vendor | priority | summary | link |
|---|---|---|---|
ubuntu
|
medium | CVE-2019-6338 medium priority: Ubuntu including 1 source packages (drupal7), 19 status rows across 19 suites (bionic, cosmic, disco, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 16, needed 2, needs-triage 1. | https://ubuntu.com/security/CVE-2019-6338 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| drupal | drupal | >= 7.0, < 7.62 | cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* |
| drupal | drupal | >= 8.5.0, < 8.5.9 | cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* |
| drupal | drupal | >= 8.6.0, < 8.6.6 | cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* |
| debian | debian_linux | 8.0 | cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* |
| debian | debian_linux | 9.0 | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/106706 | Third Party Advisory |
| https://lists.debian.org/debian-lts-announce/2019/02/msg00032.html | Mailing List Third Party Advisory |
| https://www.debian.org/security/2019/dsa-4370 | Third Party Advisory |
| https://www.drupal.org/sa-core-2019-001 | Patch Vendor Advisory |