PatchSiren cyber security CVE debrief
CVE-2019-25735 Allplayer CVE debrief
CVE-2019-25735 is a local buffer overflow vulnerability in AllPlayer 7.4. The vulnerability occurs in the URL handling mechanism, where an excessively long URL string can be used to overwrite structured exception handling (SEH) pointers. This allows attackers to craft a malicious URL, paste it into the Open URL dialog, and trigger SEH-based code execution to run arbitrary commands with user privileges. The vulnerability has a CVSS score of 8.6 and is classified as HIGH severity.
- Vendor
- Allplayer
- Product
- Unknown
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-04
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-04
Who should care
Users of AllPlayer 7.4 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by a buffer overflow in the URL handling mechanism of AllPlayer 7.4. An attacker can exploit this vulnerability by crafting a malicious URL and pasting it into the Open URL dialog, allowing them to execute arbitrary commands with user privileges.
Defensive priority
HIGH
Recommended defensive actions
- Update to a patched version of AllPlayer, if available.
- Use caution when opening URLs from untrusted sources.
- Consider using alternative media players.
Evidence notes
The CVE record and NVD detail pages provide additional information about this vulnerability.
Official resources
CVE-2019-25735 was published on 2026-06-04T14:16:31.653Z and modified on 2026-06-04T15:00:40.757Z.