CVEs from 2016
Total
8,453
critical
critical 1,164
high
high 3,521
medium
medium 3,173
low
low 248
% Critical
13.8%
% with KEV
0.7%
% with exploit
6.8%
Top vendors
Top products
- phpmyadmin 3,382
- php 1,748
- squid 1,549
- samba 1,093
- drupal 868
- firefox 757
- moodle 700
- openssl 664
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-8313 | medium | 4.1 | 4.1 | 10y ago | Vulnerability in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (subcomponent: Product / Instrument Search). Supported versions that are affected are 2.0.1, 2… | |||
| CVE-2016-5559 | medium | 4.1 | 4.1 | 10y ago | Unspecified vulnerability in Oracle Sun Solaris 10 and 11.3 allows local users to affect integrity via vectors related to Kernel. | |||
| CVE-2016-5504 | medium | 4.1 | 4.1 | 10y ago | Unspecified vulnerability in the Oracle Agile Product Lifecycle Management for Process component in Oracle Supply Chain Products Suite 6.1.0.4, 6.1.1.6, and 6.2.0.0 allows local users to affect confi… | |||
| CVE-2016-7094 | medium | 4.1 | 4.1 | 10y ago | Buffer overflow in Xen 4.7.x and earlier allows local x86 HVM guest OS administrators on guests running with shadow paging to cause a denial of service via a pagetable update. | |||
| CVE-2016-5464 | medium | 4.1 | 4.1 | 10y ago | Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1, 8.2.2, IP2014, IP2015, and IP2016 allows remote authenticated users to affect integrity via vectors related … | |||
| CVE-2016-5463 | medium | 4.1 | 4.1 | 10y ago | Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1, 8.2.2, IP2014, IP2015, and IP2016 allows remote authenticated users to affect integrity via vectors related … | |||
| CVE-2016-0668 | medium | 4.1 | 4.1 | 10y ago | Unspecified vulnerability in Oracle MySQL 5.6.28 and earlier and 5.7.10 and earlier and MariaDB 10.0.x before 10.0.24 and 10.1.x before 10.1.12 allows local users to affect availability via vectors r… | |||
| CVE-2016-1490 | medium | 4.1 | 4.1 | 11y ago | The Wifi hotspot in Lenovo SHAREit before 3.2.0 for Windows allows remote attackers to obtain sensitive file names via a crafted file request to /list. | |||
| CVE-2016-0382 | medium | 4.0 | 4.0 | 9y ago | The IBM Tealeaf Consumer Experience 8.7, 8.8, and 9.0 portal exposes some of its operational state in a form that may be accidentally captured and exposed by network infrastructure components such as… | |||
| CVE-2016-6097 | medium | 4.0 | 4.0 | 9y ago | IBM Tivoli Key Lifecycle Manager 2.0.1, 2.5, and 2.6 allows web pages to be stored locally which can be read by another user on the system. | |||
| CVE-2016-3024 | medium | 4.0 | 4.0 | 10y ago | IBM Security Access Manager for Web allows web pages to be stored locally which can be read by another user on the system. | |||
| CVE-2016-9844 | medium | 4.0 | 4.0 | 10y ago | Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via a large compression method value in the central directory … | |||
| CVE-2016-8579 | medium | 4.0 | 4.0 | 10y ago | docker2aci <= 0.12.3 has an infinite loop when handling local images with cyclic dependency chain. | |||
| CVE-2016-7090 | medium | 4.0 | 4.0 | 10y ago | The integrated web server on Siemens SCALANCE M-800 and S615 modules with firmware before 4.02 does not set the secure flag for the session cookie in an https session, which makes it easier for remot… | |||
| CVE-2016-4707 | medium | 4.0 | 4.0 | 10y ago | CFNetwork in Apple iOS before 10 and OS X before 10.12 mishandles Local Storage deletion, which allows local users to discover the visited web sites of arbitrary users via unspecified vectors. | |||
| CVE-2016-3764 | medium | 4.0 | 4.0 | 10y ago | media/libmediaplayerservice/MetadataRetrieverClient.cpp in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-07-01 allows attackers to obtain sensit… | |||
| CVE-2016-3761 | medium | 4.0 | 4.0 | 10y ago | NfcService.java in NFC in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-07-01 allows attackers to obtain sensitive foreground-application information via a cra… | |||
| CVE-2016-0823 | medium | 4.0 | 4.0 | 10y ago | The pagemap_open function in fs/proc/task_mmu.c in the Linux kernel before 3.19.3, as used in Android 6.0.1 before 2016-03-01, allows local users to obtain sensitive physical-address information by r… | |||
| CVE-2016-0616 | medium | — | 4.0 | 11y ago | Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via u… | |||
| CVE-2016-0614 | medium | — | 4.0 | 11y ago | Unspecified vulnerability in the Oracle BI Publisher component in Oracle Fusion Middleware 11.1.1.7.0, 11.1.1.9.0, and 12.2.1.0.0 allows remote authenticated users to affect confidentiality via unkno… | |||
| CVE-2016-0611 | medium | — | 4.0 | 11y ago | Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and 5.7.9 allows remote authenticated users to affect availability via unknown vectors related to Optimizer. | |||
| CVE-2016-0597 | medium | — | 4.0 | 11y ago | Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated use… | |||
| CVE-2016-0596 | medium | — | 4.0 | 11y ago | Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and 5.6.27 and earlier and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to af… | |||
| CVE-2016-0595 | medium | — | 4.0 | 11y ago | Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier allows remote authenticated users to affect availability via vectors related to DML. | |||
| CVE-2016-0587 | medium | — | 4.0 | 11y ago | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality via unknown… | |||
| CVE-2016-0562 | medium | — | 4.0 | 11y ago | Unspecified vulnerability in the Oracle Common Applications component in Oracle E-Business Suite 11.5.10.2, 12.1.1, 12.1.2, and 12.1.3 allows remote authenticated users to affect integrity via vector… | |||
| CVE-2016-0531 | medium | — | 4.0 | 11y ago | Unspecified vulnerability in the Oracle Applications Manager component in Oracle E-Business Suite 12.1.3 allows remote authenticated users to affect integrity via unknown vectors related to Oracle Di… | |||
| CVE-2016-0503 | medium | — | 4.0 | 11y ago | Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and 5.7.9 allows remote authenticated users to affect availability via vectors related to DML, a different vulnerability than CVE-2016-050… | |||
| CVE-2016-0467 | medium | — | 4.0 | 11y ago | Unspecified vulnerability in the Security component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect integrity via unknown vectors. | |||
| CVE-2016-0462 | medium | — | 4.0 | 11y ago | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53 and 8.54 allows remote authenticated users to affect confidentiality via unknown vector… | |||
| CVE-2016-0461 | medium | — | 4.0 | 11y ago | Unspecified vulnerability in the XDB - XML Database component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect availability via unknown vectors. | |||
| CVE-2016-0459 | medium | — | 4.0 | 11y ago | Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 11.5.10.2, 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote authenticated users to affect integrity… | |||
| CVE-2016-0458 | medium | — | 4.0 | 11y ago | Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via vectors related to Kernel DAX. | |||
| CVE-2016-0448 | medium | — | 4.0 | 11y ago | Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66, and Java SE Embedded 8u65 allows remote authenticated users to affect confidentiality… | |||
| CVE-2016-0427 | medium | — | 4.0 | 11y ago | Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Enterprise Manager Grid Control 11.1.0.1, 11.2.0.4, 12.1.0.4, and 12.1.0.5 allows remote authenticated users to a… | |||
| CVE-2016-0413 | medium | — | 4.0 | 11y ago | Unspecified vulnerability in the Oracle Identity Federation component in Oracle Fusion Middleware 11.1.1.7 allows remote authenticated users to affect integrity via vectors related to Federation prot… | |||
| CVE-2016-0409 | medium | — | 4.0 | 11y ago | Unspecified vulnerability in the PeopleSoft Enterprise HCM Global Payroll Switzerland component in Oracle PeopleSoft Products 9.1 and 9.2 allows remote authenticated users to affect confidentiality v… | |||
| CVE-2016-3714 | unknown | — | 2.5 | 2y ago | The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code … | |||
| CVE-2016-20017 | unknown | — | 2.5 | 2y ago | D-Link DSL-2750B devices contain a command injection vulnerability that allows remote, unauthenticated command injection via the login.cgi cli parameter. | |||
| CVE-2016-0165 | unknown | — | 2.5 | 3y ago | Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2016-6415 | unknown | — | 2.5 | 3y ago | Cisco IOS, IOS XR, and IOS XE contain insufficient condition checks in the part of the code that handles Internet Key Exchange version 1 (IKEv1) security negotiation requests. contains an information… | |||
| CVE-2016-2386 | unknown | — | 2.5 | 4y ago | SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2016-2388 | unknown | — | 2.5 | 4y ago | The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request. | |||
| CVE-2016-0984 | unknown | — | 2.5 | 4y ago | Use-after-free vulnerability in Adobe Flash Player and Adobe AIR allows attackers to execute code. | |||
| CVE-2016-4657 | unknown | — | 2.5 | 4y ago | Apple iOS WebKit contains a memory corruption vulnerability that allows attackers to execute remote code or cause a denial-of-service (DoS) via a crafted web site. This vulnerability could impact HTM… | |||
| CVE-2016-6366 | unknown | — | 2.5 | 4y ago | A buffer overflow vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco ASA software could allow an attacker to cause a reload of the affected system or to remotely execute cod… | |||
| CVE-2016-4656 | unknown | — | 2.5 | 4y ago | A memory corruption vulnerability in Apple iOS kernel allows attackers to execute code in a privileged context or cause a denial-of-service (DoS) via a crafted application. | |||
| CVE-2016-4655 | unknown | — | 2.5 | 4y ago | The Apple iOS kernel allows attackers to obtain sensitive information from memory via a crafted application. | |||
| CVE-2016-6367 | unknown | — | 2.5 | 4y ago | A vulnerability in the command-line interface (CLI) parser of Cisco ASA software could allow an authenticated, local attacker to create a denial-of-service (DoS) condition or potentially execute code. | |||
| CVE-2016-4437 | unknown | — | 2.5 | 4y ago | Apache Shiro contains a vulnerability which may allow remote attackers to execute code or bypass intended access restrictions via an unspecified request parameter when a cipher key has not been confi… | |||
| CVE-2016-7201 | unknown | — | 2.5 | 4y ago | The Chakra JavaScript scripting engine in Microsoft Edge allows remote attackers to execute remote code or cause a denial of service (memory corruption) via a crafted web site. | |||
| CVE-2016-7200 | unknown | — | 2.5 | 4y ago | The Chakra JavaScript scripting engine in Microsoft Edge allows remote attackers to execute remote code or cause a denial of service (memory corruption) via a crafted web site. | |||
| CVE-2016-3088 | unknown | — | 2.5 | 4y ago | The Fileserver web application in Apache ActiveMQ allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request | |||
| CVE-2016-0040 | unknown | — | 2.5 | 4y ago | The kernel in Microsoft Windows allows local users to gain privileges via a crafted application. | |||
| CVE-2016-0151 | unknown | — | 2.5 | 4y ago | The Client-Server Run-time Subsystem (CSRSS) in Microsoft mismanages process tokens, which allows local users to gain privileges via a crafted application. | |||
| CVE-2016-0189 | unknown | — | 2.5 | 4y ago | The Microsoft JScript nd VBScript engines, as used in Internet Explorer and other products, allow attackers to execute remote code or cause a denial of service (memory corruption) via a crafted web s… | |||
| CVE-2016-1555 | unknown | — | 2.5 | 4y ago | Multiple NETGEAR Wireless Access Point devices allows unauthenticated web pages to pass form input directly to the command-line interface. Exploitation allows for arbitrary code execution. | |||
| CVE-2016-11021 | unknown | — | 2.5 | 4y ago | setSystemCommand on D-Link DCS-930L devices allows a remote attacker to execute code via an OS command. | |||
| CVE-2016-10174 | unknown | — | 2.5 | 4y ago | The NETGEAR WNR2000v5 router contains a buffer overflow which can be exploited to achieve remote code execution. | |||
| CVE-2016-3309 | unknown | — | 2.5 | 4y ago | A privilege escalation vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in k… | |||
| CVE-2016-6277 | unknown | — | 2.5 | 4y ago | NETGEAR confirmed multiple routers allow unauthenticated web pages to pass form input directly to the command-line interface, permitting remote code execution. | |||
| CVE-2016-0099 | unknown | — | 2.5 | 4y ago | A privilege escalation vulnerability exists in Microsoft Windows if the Windows Secondary Logon Service fails to properly manage request handles in memory. An attacker who successfully exploited this… | |||
| CVE-2016-4117 | unknown | — | 2.5 | 4y ago | An access of resource using incompatible type vulnerability exists within Adobe Flash Player that allows an attacker to perform remote code execution. | |||
| CVE-2016-0185 | unknown | — | 2.5 | 5y ago | Microsoft Windows Media Center contains a remote code execution vulnerability when Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code. | |||
| CVE-2016-3715 | unknown | — | 2.5 | 5y ago | The EPHEMERAL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to delete arbitrary files via a crafted image. | |||
| CVE-2016-3976 | unknown | — | 2.5 | 5y ago | SAP NetWeaver Application Server Java Platforms contains a directory traversal vulnerability via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet. This allows remote at… | |||
| CVE-2016-3643 | unknown | — | 2.5 | 5y ago | SolarWinds Virtualization Manager allows for privilege escalation through leveraging a misconfiguration of sudo. | |||
| CVE-2016-3718 | unknown | — | 2.5 | 5y ago | The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted image. | |||
| CVE-2016-3235 | unknown | — | 2.5 | 5y ago | Microsoft Office Object Linking & Embedding (OLE) dynamic link library (DLL) contains a side loading vulnerability due to it improperly validating input before loading libraries. Successful exploitat… | |||
| CVE-2016-7255 | unknown | — | 2.5 | 5y ago | Microsoft Win32k kernel-mode driver fails to properly handle objects in memory which allows for privilege escalation. Successful exploitation allows an attacker to run code in kernel mode. | |||
| CVE-2016-0752 | unknown | — | 2.5 | 11y ago | Directory traversal vulnerability in Action View in Ruby on Rails allows remote attackers to read arbitrary files. | |||
| CVE-2016-7836 | unknown | — | 1.5 | 8mo ago | SKYSEA Client View contains an improper authentication vulnerability that allows remote code execution via a flaw in processing authentication on the TCP connection with the management console progra… | |||
| CVE-2016-3427 | unknown | — | 1.5 | 3y ago | Oracle Java SE and JRockit contains an unspecified vulnerability that allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Java Management Extensions … | |||
| CVE-2016-5198 | unknown | — | 1.5 | 4y ago | Google Chromium V8 Engine contains an out-of-bounds memory access vulnerability that allows a remote attacker to perform read/write operations, leading to code execution, via a crafted HTML page. Thi… | |||
| CVE-2016-1646 | unknown | — | 1.5 | 4y ago | Google Chromium V8 Engine contains an out-of-bounds read vulnerability that allows a remote attacker to cause a denial of service or possibly have another unspecified impact via crafted JavaScript co… | |||
| CVE-2016-7256 | unknown | — | 1.5 | 4y ago | A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploits this vulnerability could take con… | |||
| CVE-2016-3393 | unknown | — | 1.5 | 4y ago | A remote code execution vulnerability exists due to the way the Windows GDI component handles objects in the memory. An attacker who successfully exploits this vulnerability could take control of the… | |||
| CVE-2016-1010 | unknown | — | 1.5 | 4y ago | Integer overflow vulnerability in Adobe Flash Player and AIR allows attackers to execute code. | |||
| CVE-2016-0034 | unknown | — | 1.5 | 4y ago | Microsoft Silverlight mishandles negative offsets during decoding, which allows attackers to execute remote code or cause a denial-of-service (DoS). | |||
| CVE-2016-3351 | unknown | — | 1.5 | 4y ago | An information disclosure vulnerability exists in the way that certain functions in Internet Explorer and Edge handle objects in memory. The vulnerability could allow an attacker to detect specific f… | |||
| CVE-2016-0162 | unknown | — | 1.5 | 4y ago | An information disclosure vulnerability exists when Internet Explorer does not properly handle JavaScript. The vulnerability could allow an attacker to detect specific files on the user's computer. | |||
| CVE-2016-3298 | unknown | — | 1.5 | 4y ago | An information disclosure vulnerability exists when the Microsoft Internet Messaging API improperly handles objects in memory. An attacker who successfully exploited this vulnerability could allow th… | |||
| CVE-2016-8735 | unknown | — | 1.5 | 4y ago | Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an att… | |||
| CVE-2016-4523 | unknown | — | 1.5 | 4y ago | The WAP interface in Trihedral VTScada (formerly VTS) allows remote attackers to cause a denial-of-service (DoS). | |||
| CVE-2016-4171 | unknown | — | 1.5 | 4y ago | Unspecified vulnerability in Adobe Flash Player allows for remote code execution. | |||
| CVE-2016-7892 | unknown | — | 1.5 | 4y ago | Adobe Flash Player has an exploitable use-after-free vulnerability in the TextField class. | |||
| CVE-2016-7262 | unknown | — | 1.5 | 4y ago | A security feature bypass vulnerability exists when Microsoft Office improperly handles input. An attacker who successfully exploited the vulnerability could execute arbitrary commands. | |||
| CVE-2016-7193 | unknown | — | 1.5 | 4y ago | Microsoft Office contains a memory corruption vulnerability which can allow for remote code execution. | |||
| CVE-2016-7855 | unknown | — | 1.5 | 4y ago | Use-after-free vulnerability in Adobe Flash Player Windows and OS and Linux allows remote attackers to execute arbitrary code. | |||
| CVE-2016-8562 | unknown | — | 1.5 | 4y ago | An improper privilege management vulnerability exists within the Siemens SIMATIC Communication Processor (CP) that allows a privileged attacker to remotely cause a denial of service. | |||
| CVE-2016-1019 | unknown | — | 1.5 | 4y ago | Adobe Flash Player allows remote attackers to cause a denial of service or possibly execute arbitrary code. | |||
| CVE-2016-0167 | unknown | — | 1.5 | 5y ago | Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation via a crafted application | |||
| CVE-2016-9563 | unknown | — | 1.5 | 5y ago | SAP NetWeaver Application Server Java Platforms contains an unspecified vulnerability in BC-BMT-BPM-DSK which allows remote, authenticated users to conduct XML External Entity (XXE) attacks. | |||
| CVE-2016-15057 | unknown | — | 1.0 | 4mo ago | Apache Continuum vulnerable to Command Injection through Installations REST API | |||
| CVE-2016-9952 | unknown | — | — | — | The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, makes it easier for remote attackers to conduct man-… | |||
| CVE-2016-4983 | unknown | — | — | — | A postinstall script in the dovecot rpm allows local users to read the contents of newly created SSL/TLS key files. | |||
| CVE-2016-4606 | unknown | — | — | — | Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass … | |||
| CVE-2016-5285 | unknown | — | — | — | A Null pointer dereference vulnerability exists in Mozilla Network Security Services due to a missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime, which could let a remote m… | |||
| CVE-2016-1585 | unknown | — | — | — | In all versions of AppArmor mount rules are accidentally widened when compiled. | |||
| CVE-2016-1000108 | unknown | — | — | — | yaws before 2.0.4 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY … |