Vulnerability Database

300,214

Total vulnerabilities in the database

CVE-2019-3902

A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository.

Published: Apr 22, 2019
Updated: Nov 9, 2025
CVE: CVE-2019-3902
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5.8
AV:N/AC:M/Au:N/C:N/I:P/A:P

CWEs:

CWE-22
CWE-59

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
mercurial / mercurial	-	4.9
redhat / enterprise_linux	7.0	7.0.x
debian / debian_linux	8.0	8.0.x

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3902
https://lists.debian.org/debian-lts-announce/2019/04/msg00024.html
https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html
https://usn.ubuntu.com/4086-1/
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo