CVEs from 2016
Total
8,452
critical
critical 1,164
high
high 3,521
medium
medium 3,173
low
low 248
% Critical
13.8%
% with KEV
0.7%
% with exploit
6.8%
Top vendors
Top products
- phpmyadmin 3,382
- php 1,748
- squid 1,549
- samba 1,093
- drupal 868
- firefox 757
- moodle 700
- openssl 664
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-10723 | unknown | — | — | — | An issue was discovered in the Linux kernel through 4.17.2. Since the page allocator does not yield CPU resources to the owner of the oom_lock mutex, a local unprivileged user can trivially lock up t… | |||
| CVE-2016-9604 | unknown | — | — | — | It was discovered in the Linux kernel before 4.11-rc8 that root can gain direct access to an internal keyring, such as '.dns_resolver' in RHEL-7 or '.builtin_trusted_keys' upstream, by joining it as … | |||
| CVE-2016-1585 | unknown | — | — | — | In all versions of AppArmor mount rules are accidentally widened when compiled. | |||
| CVE-2016-4983 | unknown | — | — | — | A postinstall script in the dovecot rpm allows local users to read the contents of newly created SSL/TLS key files. | |||
| CVE-2016-9602 | unknown | — | — | — | Qemu before version 2.9 is vulnerable to an improper link following when built with the VirtFS. A privileged user inside guest could use this flaw to access host file system beyond the shared folder … | |||
| CVE-2016-7076 | unknown | — | — | — | sudo before version 1.8.18p1 is vulnerable to a bypass in the sudo noexec restriction if application run via sudo executed wordexp() C library function with a user supplied argument. A local user per… | |||
| CVE-2016-1000108 | unknown | — | — | — | yaws before 2.0.4 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY … | |||
| CVE-2016-1000107 | unknown | — | — | — | inets in Erlang possibly 22.1 and earlier follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable… | |||
| CVE-2016-5285 | unknown | — | — | — | A Null pointer dereference vulnerability exists in Mozilla Network Security Services due to a missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime, which could let a remote m… | |||
| CVE-2016-10711 | unknown | — | — | — | Apsis Pound before 2.8a allows request smuggling via crafted headers, a different vulnerability than CVE-2005-3751. | |||
| CVE-2016-9953 | unknown | — | — | — | The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, allows remote attackers to obtain sensitive informat… | |||
| CVE-2016-8635 | unknown | — | — | — | It was found that Diffie Hellman Client key exchange handling in NSS 3.21.x was vulnerable to small subgroup confinement attack. An attacker could use this flaw to recover private keys by confining t… | |||
| CVE-2016-9574 | unknown | — | — | — | nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA. | |||
| CVE-2016-9074 | unknown | — | — | — | An existing mitigation of timing side-channel attacks is insufficient in some circumstances. This issue is addressed in Network Security Services (NSS) 3.26.1. This vulnerability affects Thunderbird … | |||
| CVE-2016-7069 | unknown | — | — | — | An issue has been found in dnsdist before 1.2.0 in the way EDNS0 OPT records are handled when parsing responses from a backend. When dnsdist is configured to add EDNS Client Subnet to a query, the re… | |||
| CVE-2016-20022 | unknown | — | — | — | In the Linux kernel before 4.8, usb_parse_endpoint in drivers/usb/core/config.c does not validate the wMaxPacketSize field of an endpoint descriptor. NOTE: This vulnerability only affects products th… | |||
| CVE-2016-10746 | unknown | — | — | — | libvirt-domain.c in libvirt before 1.3.1 supports virDomainGetTime API calls by guest agents with an RO connection, even though an RW connection was supposed to be required, a different vulnerability… | |||
| CVE-2016-15026 | unknown | — | — | 3y ago | dd-plist XML External Entitly vulnerability | |||
| CVE-2016-15011 | unknown | — | — | 3y ago | dssp vulnerable to Improper Restriction of XML External Entity Reference | |||
| CVE-2016-1000273 | unknown | — | — | 4y ago | Java Melody vulnerable to cross-site scripting | |||
| CVE-2016-1000027 | unknown | — | — | 4y ago | Pivotal Spring Framework contains unsafe Java deserialization methods | |||
| CVE-2016-10750 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Hazelcast | |||
| CVE-2016-7043 | unknown | — | — | 4y ago | Password in config file in KIE server | |||
| CVE-2016-9606 | unknown | — | — | 4y ago | JBoss RESTEasy vulnerable to Improper Input Validation | |||
| CVE-2016-8747 | unknown | — | — | 4y ago | Apache Tomcat allows remote attackers to read data that was intended to be associated with a different request | |||
| CVE-2016-6810 | unknown | — | — | 4y ago | Improper Neutralization of Input During Web Page Generation Apache ActiveMQ | |||
| CVE-2016-9589 | unknown | — | — | 4y ago | Red Hat Wildfly DoS | |||
| CVE-2016-6814 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Groovy | |||
| CVE-2016-11024 | unknown | — | — | 5y ago | SQL Injection in odata4j | |||
| CVE-2016-3674 | unknown | — | — | 6y ago | XML External Entity Injection in XStream | |||
| CVE-2016-8750 | unknown | — | — | 8y ago | Moderate severity vulnerability that affects org.apache.karaf:apache-karaf | |||
| CVE-2016-10726 | unknown | — | — | 8y ago | High severity vulnerability that affects org.dspace:dspace-xmlui | |||
| CVE-2016-1000345 | unknown | — | — | 8y ago | Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15 | |||
| CVE-2016-1000344 | unknown | — | — | 8y ago | In Bouncy Castle JCE Provider the DHIES implementation allowed the use of ECB mode | |||
| CVE-2016-8609 | unknown | — | — | 8y ago | Improper Authentication in org.keycloak:keycloak-core | |||
| CVE-2016-8629 | unknown | — | — | 8y ago | Moderate severity vulnerability that affects org.keycloak:keycloak-core | |||
| CVE-2016-1000352 | unknown | — | — | 8y ago | In Bouncy Castle JCE Provider the ECIES implementation allowed the use of ECB mode | |||
| CVE-2016-1000346 | unknown | — | — | 8y ago | In Bouncy Castle JCE Provider the other party DH public key is not fully validated | |||
| CVE-2016-1000343 | unknown | — | — | 8y ago | In Bouncy Castle JCE Provider the DSA key pair generator generates a weak private key if used with default values | |||
| CVE-2016-1000342 | unknown | — | — | 8y ago | In Bouncy Castle JCE Provider ECDSA does not fully validate ASN.1 encoding of signature on verification | |||
| CVE-2016-1000341 | unknown | — | — | 8y ago | Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15 | |||
| CVE-2016-1000340 | unknown | — | — | 8y ago | The Bouncy Castle JCE Provider carry a propagation bug | |||
| CVE-2016-1000339 | unknown | — | — | 8y ago | Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15 | |||
| CVE-2016-1000338 | unknown | — | — | 8y ago | In Bouncy Castle JCE Provider it is possible to inject extra elements in the sequence making up the signature and still have it validate | |||
| CVE-2016-10707 | unknown | — | — | 9y ago | Denial of Service in jquery | |||
| CVE-2016-10931 | unknown | — | — | 10y ago | An issue was discovered in the openssl crate before 0.9.0 for Rust. There is an SSL/TLS man-in-the-middle vulnerability because certificate verification is off by default and there is no API for host… |