libvncserver.so is vulnerable to remote code execution. The vulnerability is possible because of a heap use-after-free flaw in the server code of the file transfer extension.
bugzilla.suse.com/show_bug.cgi?id=1120114
ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-027-libvnc-heap-use-after-free/
lists.debian.org/debian-lts-announce/2019/01/msg00029.html
lists.debian.org/debian-lts-announce/2019/10/msg00042.html
usn.ubuntu.com/3877-1/
www.debian.org/security/2019/dsa-4383