CVEs from 2016
Total
8,565
critical
critical 1,164
high
high 3,521
medium
medium 3,172
low
low 249
% Critical
13.6%
% with KEV
0.7%
% with exploit
0.7%
Top vendors
Top products
- phpmyadmin 3,382
- php 1,748
- squid 1,549
- samba 1,093
- drupal 868
- firefox 757
- moodle 700
- openssl 664
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2016-9079 | critical | — | 10.0 | 3y ago | Mozilla Firefox, Firefox ESR, and Thunderbird contain a use-after-free vulnerability in SVG Animation, targeting Firefox and Tor browser users on Windows. | |
| CVE-2016-8027 | critical | 10.0 | 10.0 | 9y ago | SQL injection vulnerability in core services in Intel Security McAfee ePolicy Orchestrator (ePO) 5.3.2 and earlier and 5.1.3 and earlier allows attackers to alter a SQL query, which can result in dis… | |
| CVE-2016-9343 | critical | 10.0 | 10.0 | 9y ago | An issue was discovered in Rockwell Automation Logix5000 Programmable Automation Controller FRN 16.00 through 21.00 (excluding all firmware versions prior to FRN 16.00, which are not affected). By se… | |
| CVE-2016-8363 | critical | 10.0 | 10.0 | 9y ago | An issue was discovered in Moxa OnCell OnCellG3470A-LTE, AWK-1131A/3131A/4131A Series, AWK-3191 Series, AWK-5232/6232 Series, AWK-1121/1127 Series, WAC-1001 V2 Series, WAC-2004 Series, AWK-3121-M12-R… | |
| CVE-2016-8352 | critical | 10.0 | 10.0 | 9y ago | An issue was discovered in Schneider Electric ConneXium firewalls TCSEFEC23F3F20 all versions, TCSEFEC23F3F21 all versions, TCSEFEC23FCF20 all versions, TCSEFEC23FCF21 all versions, and TCSEFEC2CF3F2… | |
| CVE-2016-8938 | critical | 10.0 | 10.0 | 9y ago | IBM UrbanCode Deploy could allow a user to execute code using a specially crafted file upload that would replace code on the server. This code could be executed on the UCD agent machines that host cu… | |
| CVE-2016-6082 | critical | 10.0 | 10.0 | 9y ago | IBM BigFix Platform could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free race condition. An attacker could exploit this vulnerability to execute arbitrary… | |
| CVE-2016-10043 | critical | 10.0 | 10.0 | 9y ago | An issue was discovered in Radisys MRF Web Panel (SWMS) 9.0.1. The MSM_MACRO_NAME POST parameter in /swms/ms.cgi was discovered to be vulnerable to OS command injection attacks. It is possible to use… | |
| CVE-2016-7457 | critical | 10.0 | 10.0 | 10y ago | VMware vRealize Operations (aka vROps) 6.x before 6.4.0 allows remote authenticated users to gain privileges, or halt and remove virtual machines, via unspecified vectors. | |
| CVE-2016-5788 | critical | 10.0 | 10.0 | 10y ago | General Electric (GE) Bently Nevada 3500/22M USB with firmware before 5.0 and Bently Nevada 3500/22M Serial have open ports, which makes it easier for remote attackers to obtain privileged access via… | |
| CVE-2016-4787 | critical | 10.0 | 10.0 | 10y ago | Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r10, and 7.4 before 7.4r13.4 allow remote attackers to read sensitive system authentication files in an unspecified direct… | |
| CVE-2016-1044 | critical | 10.0 | 10.0 | 10y ago | Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attacker… | |
| CVE-2016-1041 | critical | 10.0 | 10.0 | 10y ago | Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attacker… | |
| CVE-2016-1038 | critical | 10.0 | 10.0 | 10y ago | Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attacker… | |
| CVE-2016-1343 | critical | 10.0 | 10.0 | 10y ago | The XML parser in Cisco Information Server (CIS) 6.2 allows remote attackers to read arbitrary files or cause a denial of service (CPU and memory consumption) via an external entity declaration in co… | |
| CVE-2016-1505 | critical | 10.0 | 10.0 | 11y ago | Radicale is vulnerable to directory traversal on Windows Filesystem Storage Backend component | |
| CVE-2016-1931 | critical | 10.0 | 10.0 | 11y ago | Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 44.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly exe… | |
| CVE-2016-1985 | critical | 10.0 | 10.0 | 11y ago | HPE Operations Manager 8.x and 9.0 on Windows allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library. | |
| CVE-2016-0494 | critical | — | 10.0 | 11y ago | Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect confidentiality, integrity… | |
| CVE-2016-0483 | critical | — | 10.0 | 11y ago | Unspecified vulnerability in Oracle Java SE 6u105, 7u91, and 8u66; Java SE Embedded 8u65; and JRockit R28.3.8 allows remote attackers to affect confidentiality, integrity, and availability via vector… | |
| CVE-2016-0452 | critical | — | 10.0 | 11y ago | Unspecified vulnerability in the Oracle GoldenGate component in Oracle GoldenGate 11.2 and 12.1.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a… | |
| CVE-2016-0451 | critical | — | 10.0 | 11y ago | Unspecified vulnerability in the Oracle GoldenGate component in Oracle GoldenGate 11.2 and 12.1.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a… | |
| CVE-2016-6903 | critical | 9.9 | 9.9 | 9y ago | lshell 0.9.16 allows remote authenticated users to break out of a limited shell and execute arbitrary commands. | |
| CVE-2016-6902 | critical | 9.9 | 9.9 | 9y ago | lshell 0.9.16 allows remote authenticated users to break out of a limited shell and execute arbitrary commands. | |
| CVE-2016-9269 | critical | 9.9 | 9.9 | 9y ago | Remote Command Execution in com.trend.iwss.gui.servlet.ManagePatches in Trend Micro Interscan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allows authenticated,… | |
| CVE-2016-8355 | critical | 9.9 | 9.9 | 9y ago | An issue was discovered in Smiths-Medical CADD-Solis Medication Safety Software, Version 1.0; 2.0; 3.0; and 3.1. CADD-Solis Medication Safety Software grants an authenticated user elevated privileges… | |
| CVE-2016-9832 | critical | 9.9 | 9.9 | 10y ago | PricewaterhouseCoopers (PwC) ACE-ABAP 8.10.304 for SAP Security allows remote authenticated users to conduct ABAP injection attacks and execute arbitrary code via (1) SAPGUI or (2) Internet Communica… | |
| CVE-2016-2396 | critical | 9.9 | 9.9 | 10y ago | The GMS ViewPoint (GMSVP) web application in Dell SonicWALL GMS, Analyzer, and UMA EM5000 7.2, 8.0, and 8.1 before Hotfix 168056 allows remote authenticated users to execute arbitrary commands via ve… | |
| CVE-2016-5713 | critical | 9.8 | 9.8 | 9y ago | Versions of Puppet Agent prior to 1.6.0 included a version of the Puppet Execution Protocol (PXP) agent that passed environment variables through to Puppet runs. This could allow unauthorized code to… | |
| CVE-2016-1253 | critical | 9.8 | 9.8 | 9y ago | The most package in Debian wheezy before 5.0.0a-2.2, in Debian jessie before 5.0.0a-2.3+deb8u1, and in Debian unstable before 5.0.0a-3 allows remote attackers to execute arbitrary commands via shell … | |
| CVE-2016-0872 | critical | 9.8 | 9.8 | 9y ago | A Plaintext Storage of a Password issue was discovered in Kabona AB WebDatorCentral (WDC) versions prior to Version 3.4.0. WDC stores password credentials in plaintext. | |
| CVE-2016-5003 | critical | 9.8 | 9.8 | 9y ago | Apache XML-RPC vulnerable to Deserialization of Untrusted Data | |
| CVE-2016-1265 | critical | 9.8 | 9.8 | 9y ago | A remote unauthenticated network based attacker with access to Junos Space may execute arbitrary code on Junos Space or gain access to devices managed by Junos Space using cross site request forgery … | |
| CVE-2016-5791 | critical | 9.8 | 9.8 | 9y ago | An Improper Authentication issue was discovered in JanTek JTC-200, all versions. The improper authentication could provide an undocumented BusyBox Linux shell accessible over the TELNET service witho… | |
| CVE-2016-8736 | critical | 9.8 | 9.8 | 9y ago | Apache OpenMeetings RCE | |
| CVE-2016-8937 | critical | 9.8 | 9.8 | 9y ago | The IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) default authentication protocol is vulnerable to a brute force attack due to disclosing too much information during authentication. A… | |
| CVE-2016-10512 | critical | 9.8 | 9.8 | 9y ago | MultiTech FaxFinder before 4.1.2 stores Passwords unencrypted for maintaining the test connectivity function of its LDAP configuration. These credentials are retrieved by the system when the LDAP con… | |
| CVE-2016-6795 | critical | 9.8 | 9.8 | 9y ago | Path Traversal in Apache Struts | |
| CVE-2016-10405 | critical | 9.8 | 9.8 | 9y ago | Session fixation vulnerability in D-Link DIR-600L routers (rev. Ax) with firmware before FW1.17.B01 allows remote attackers to hijack web sessions via unspecified vectors. | |
| CVE-2016-3086 | critical | 9.8 | 9.8 | 9y ago | Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop | |
| CVE-2016-4460 | critical | 9.8 | 9.8 | 9y ago | Apache Pony Mail 0.6c through 0.8b allows remote attackers to bypass authentication. | |
| CVE-2016-5872 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, arguments to several QTEE syscalls are not properly validated. | |
| CVE-2016-5871 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, an integer overflow to buffer overflow vulnerability exists when loading an image file. | |
| CVE-2016-10392 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a driver can potentially leak kernel memory. | |
| CVE-2016-10391 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, the length in an HCI command is not properly checked for validity. | |
| CVE-2016-10390 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, when downloading a file, an excessive amount of memory may be consumed. | |
| CVE-2016-10388 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a configuration vulnerability exists when loading a 3rd-party QTEE application. | |
| CVE-2016-10387 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, an assertion was potentially reachable in a handover scenario. | |
| CVE-2016-10386 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, an array index out of bounds vulnerability exists in LPP. | |
| CVE-2016-10385 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a use-after-free vulnerability exists in IMS RCS. | |
| CVE-2016-10384 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, an assertion was potentially reachable in a WLAN driver ioctl. | |
| CVE-2016-10382 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, access control to the I2C bus is not sufficient. | |
| CVE-2016-10381 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, the UE can send unprotected MeasurementReports revealing UE location. | |
| CVE-2016-10380 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, the UE can send unprotected MeasurementReports revealing UE location. | |
| CVE-2016-10347 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, an argument to a hypervisor function is not properly validated. | |
| CVE-2016-10346 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, an integer overflow vulnerability exists in the hypervisor. | |
| CVE-2016-10344 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, the use of an out-of-range pointer offset is potentially possible in LTE. | |
| CVE-2016-10343 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, sSL handshake failure with ClientHello rejection results in memory leak. | |
| CVE-2016-6798 | critical | 9.8 | 9.8 | 9y ago | XML External Entity Reference in Apache Sling | |
| CVE-2016-8964 | critical | 9.8 | 9.8 | 9y ago | IBM BigFix Inventory v9 9.2 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 118853. | |
| CVE-2016-4000 | critical | 9.8 | 9.8 | 9y ago | Jython before 2.7.1rc1 allows attackers to execute arbitrary code via a crafted serialized PyFunction object. | |
| CVE-2016-9358 | critical | 9.8 | 9.8 | 9y ago | A Hard-Coded Passwords issue was discovered in Marel Food Processing Systems M3000 terminal associated with the following systems: A320, A325, A371, A520 Master, A520 Slave, A530, A542, A571, Check B… | |
| CVE-2016-0959 | critical | 9.8 | 9.8 | 9y ago | Use after free vulnerability in Adobe Flash Player Desktop Runtime before 20.0.0.267, Adobe Flash Player Extended Support Release before 18.0.0.324, Adobe Flash Player for Google Chrome before 20.0.0… | |
| CVE-2016-8731 | critical | 9.8 | 9.8 | 9y ago | Hard-coded FTP credentials (r:r) are included in the Foscam C1 running firmware 1.9.1.12. Knowledge of these credentials would allow remote access to any cameras found on the internet that do not hav… | |
| CVE-2016-5411 | critical | 9.8 | 9.8 | 9y ago | /var/lib/ovirt-engine/setup/engine-DC-config.py in Red Hat QuickStart Cloud Installer (QCI) before 1.0 GA is created world readable and contains the root password of the deployed system. | |
| CVE-2016-8218 | critical | 9.8 | 9.8 | 9y ago | An issue was discovered in Cloud Foundry Foundation routing-release versions prior to 0.142.0 and cf-release versions 203 to 231. Incomplete validation logic in JSON Web Token (JWT) libraries can all… | |
| CVE-2016-6655 | critical | 9.8 | 9.8 | 9y ago | An issue was discovered in Cloud Foundry Foundation Cloud Foundry release versions prior to v245 and cf-mysql-release versions prior to v31. A command injection vulnerability was discovered in a comm… | |
| CVE-2016-7806 | critical | 9.8 | 9.8 | 9y ago | I-O DATA DEVICE WFS-SR01 firmware version 1.10 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. | |
| CVE-2016-6093 | critical | 9.8 | 9.8 | 9y ago | IBM Tivoli Key Lifecycle Manager does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. | |
| CVE-2016-4473 | critical | 9.8 | 9.8 | 9y ago | /ext/phar/phar_object.c in PHP 7.0.7 and 5.6.x allows remote attackers to execute arbitrary code. NOTE: Introduced as part of an incomplete fix to CVE-2015-6833. | |
| CVE-2016-7050 | critical | 9.8 | 9.8 | 9y ago | SerializableProvider in RESTEasy in Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux HPC Node 7, Red Hat Enterprise Linux Server 7, and Red Hat Enterprise Linux Workstation 7 allows remot… | |
| CVE-2016-5405 | critical | 9.8 | 9.8 | 9y ago | 389 Directory Server in Red Hat Enterprise Linux Desktop 6 through 7, Red Hat Enterprise Linux HPC Node 6 through 7, Red Hat Enterprise Linux Server 6 through 7, and Red Hat Enterprise Linux Workstat… | |
| CVE-2016-3690 | critical | 9.8 | 9.8 | 9y ago | The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload. | |
| CVE-2016-2034 | critical | 9.8 | 9.8 | 9y ago | SQL injection vulnerability in ClearPass Policy Manager 6.5.x through 6.5.6 and 6.6.0. | |
| CVE-2016-6087 | critical | 9.8 | 9.8 | 9y ago | IBM Domino 8.5 and 9.0 could allow an attacker to steal credentials using multiple sessions and large amounts of data using Domino TLS Key Exchange validation. IBM X-Force ID: 117918. | |
| CVE-2016-9961 | critical | 9.8 | 9.8 | 9y ago | game-music-emu before 0.6.1 mishandles unspecified integer values. | |
| CVE-2016-0726 | critical | 9.8 | 9.8 | 9y ago | The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administrator account, which makes it easier for remote attackers to obtain access by leveraging knowledge o… | |
| CVE-2016-10375 | critical | 9.8 | 9.8 | 9y ago | Yodl before 3.07.01 has a Buffer Over-read in the queue_push function in queue/queuepush.c. | |
| CVE-2016-0761 | critical | 9.8 | 9.8 | 9y ago | Cloud Foundry Garden-Linux versions prior to v0.333.0 and Elastic Runtime 1.6.x version prior to 1.6.17 contain a flaw in managing container files during Docker image preparation that could be used t… | |
| CVE-2016-9843 | critical | 9.8 | 9.8 | 9y ago | The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation. | |
| CVE-2016-9841 | critical | 9.8 | 9.8 | 9y ago | inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. | |
| CVE-2016-7979 | critical | 9.8 | 9.8 | 9y ago | Ghostscript before 9.21 might allow remote attackers to bypass the SAFER mode protection mechanism and consequently execute arbitrary code by leveraging type confusion in .initialize_dsc_parser. | |
| CVE-2016-7978 | critical | 9.8 | 9.8 | 9y ago | Use-after-free vulnerability in Ghostscript 9.20 might allow remote attackers to execute arbitrary code via vectors related to a reference leak in .setdevice. | |
| CVE-2016-5178 | critical | 9.8 | 9.8 | 9y ago | Multiple unspecified vulnerabilities in Google Chrome before 53.0.2785.143 allow remote attackers to cause a denial of service or possibly have other impact via unknown vectors. | |
| CVE-2016-4905 | critical | 9.8 | 9.8 | 9y ago | SQL injection vulnerability in the WP-OliveCart versions prior to 3.1.3 and WP-OliveCartPro versions prior to 3.1.8 allows attackers with administrator rights to execute arbitrary SQL commands via un… | |
| CVE-2016-10372 | critical | 9.8 | 9.8 | 9y ago | The Eir D1000 modem does not properly restrict the TR-064 protocol, which allows remote attackers to execute arbitrary commands via TCP port 7547, as demonstrated by opening WAN access to TCP port 80… | |
| CVE-2016-10329 | critical | 9.8 | 9.8 | 9y ago | Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to execute arbitrary code via shell metacharacters in the crafted 'X-Forwarded-For' he… | |
| CVE-2016-5006 | critical | 9.8 | 9.8 | 9y ago | The Cloud Controller in Cloud Foundry before 239 logs user-provided service objects at creation, which allows attackers to obtain sensitive user credential information via unspecified vectors. | |
| CVE-2016-10243 | critical | 9.8 | 9.8 | 9y ago | TeX Live allows remote attackers to execute arbitrary commands by leveraging inclusion of mpost in shell_escape_commands in the texmf.cnf config file. | |
| CVE-2016-8584 | critical | 9.8 | 9.8 | 9y ago | Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier uses predictable session values, which allows remote attackers to bypass authentication by guessing the value. | |
| CVE-2016-3109 | critical | 9.8 | 9.8 | 9y ago | Shopware RCE Vulnerability | |
| CVE-2016-3067 | critical | 9.8 | 9.8 | 9y ago | Cygwin before 2.5.0 does not properly handle updating permissions when changing users, which allows attackers to gain privileges. | |
| CVE-2016-2173 | critical | 9.8 | 9.8 | 9y ago | Improper Input Validation in Spring AMQP | |
| CVE-2016-1560 | critical | 9.8 | 9.8 | 9y ago | ExaGrid appliances with firmware before 4.8 P26 have a default password of (1) inflection for the root shell account and (2) support for the support account in the web interface, which allows remote … | |
| CVE-2016-1558 | critical | 9.8 | 9.8 | 9y ago | Buffer overflow in D-Link DAP-2310 2.06 and earlier, DAP-2330 1.06 and earlier, DAP-2360 2.06 and earlier, DAP-2553 H/W ver. B1 3.05 and earlier, DAP-2660 1.11 and earlier, DAP-2690 3.15 and earlier,… | |
| CVE-2016-1557 | critical | 9.8 | 9.8 | 9y ago | Netgear WNAP320, WNDAP350, and WNDAP360 before 3.5.5.0 reveal wireless passwords and administrative usernames and passwords over SNMP. | |
| CVE-2016-5762 | critical | 9.8 | 9.8 | 9y ago | Integer overflow in the Post Office Agent in Novell GroupWise before 2014 R2 Service Pack 1 Hot Patch 1 might allow remote attackers to execute arbitrary code via a long (1) username or (2) password,… | |
| CVE-2016-1219 | critical | 9.8 | 9.8 | 9y ago | Cybozu Garoon before 4.2.2 allows remote attackers to bypass login authentication via vectors related to API use. | |
| CVE-2016-6727 | critical | 9.8 | 9.8 | 9y ago | The Qualcomm GPS subsystem in Android on Android One devices allows remote attackers to execute arbitrary code. | |
| CVE-2016-6726 | critical | 9.8 | 9.8 | 9y ago | Unspecified vulnerability in Qualcomm components in Android on Nexus 6 and Android One devices. |