Vulnerability exists in Windows, Linux and UNIX versions of VLC 3.0.7.1 (the latest version of the media player) There is no patch to patch the vulnerability, though no exploitation of the vulnerability has been observed yet, according to German security agency CERT-Bund. Vulnerability (CVE-2019-13615) ranks 9.8 out of 10 on the CVSS3.0 scale, making it critical severity. VLC said the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
Source: https://threatpost.com/vlc-media-player-plagued-by-unpatched-critical-rce-flaw/146611/

