CVEs from 2016
Total
8,565
critical
critical 1,164
high
high 3,521
medium
medium 3,172
low
low 249
% Critical
13.6%
% with KEV
0.7%
% with exploit
0.7%
Top vendors
Top products
- phpmyadmin 3,382
- php 1,748
- squid 1,549
- samba 1,093
- drupal 868
- firefox 757
- moodle 700
- openssl 664
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2016-5195 | high | — | 9.5 | 4y ago | Race condition in mm/gup.c in the Linux kernel allows local users to escalate privileges. | |
| CVE-2016-10033 | high | — | 9.5 | 6y ago | PHPMailer contains a command injection vulnerability because it fails to sanitize user-supplied input. Specifically, this issue affects the 'mail()' function of 'class.phpmailer.php' script. An attac… | |
| CVE-2016-3105 | high | 8.8 | 8.8 | 4y ago | The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a crafted git repository name. | |
| CVE-2016-3072 | high | 8.8 | 8.8 | 4y ago | Katello SQL Injection vulnerabilities | |
| CVE-2016-3691 | high | 8.8 | 8.8 | 4y ago | Routes in Kallithea before 0.3.2 allows remote attackers to bypass the CSRF protection by using the GET HTTP request method. | |
| CVE-2016-5851 | high | 8.8 | 8.8 | 4y ago | python-docx before 0.8.6 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted document. | |
| CVE-2016-10701 | high | 8.8 | 8.8 | 9y ago | In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists in the Business Analytics application. | |
| CVE-2016-10700 | high | 8.8 | 8.8 | 9y ago | auth_login.php in Cacti before 1.0.0 allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database, because the… | |
| CVE-2016-3090 | high | 8.8 | 8.8 | 9y ago | Apache Struts RCE Vulnerability | |
| CVE-2016-4461 | high | 8.8 | 8.8 | 9y ago | Apache Struts forced double OGNL evaluation | |
| CVE-2016-1261 | high | 8.8 | 8.8 | 9y ago | J-Web does not validate certain input that may lead to cross-site request forgery (CSRF) issues or cause a denial of J-Web service (DoS). | |
| CVE-2016-6806 | high | 8.8 | 8.8 | 9y ago | Apache Wicket vulnerable to CSRF attacks | |
| CVE-2016-8744 | high | 8.8 | 8.8 | 9y ago | Deserialization of Untrusted Data in Apache Brooklyn | |
| CVE-2016-8737 | high | 8.8 | 8.8 | 9y ago | Apache Brooklyn is vulnerable to cross-site request forgery (CSRF) | |
| CVE-2016-0732 | high | 8.8 | 8.8 | 9y ago | The identity zones feature in Pivotal Cloud Foundry 208 through 229; UAA 2.0.0 through 2.7.3 and 3.0.0; UAA-Release 2 through 4, when configured with multiple identity zones; and Elastic Runtime 1.6.… | |
| CVE-2016-4462 | high | 8.8 | 8.8 | 9y ago | By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Fr… | |
| CVE-2016-5861 | high | 8.8 | 8.8 | 9y ago | In a display driver in all Qualcomm products with Android for MSM, Firefox OS for MSM, or QRD Android, a variable controlled by userspace is used to calculate offsets and sizes for copy operations, w… | |
| CVE-2016-5716 | high | 8.8 | 8.8 | 9y ago | The console in Puppet Enterprise 2015.x and 2016.x prior to 2016.4.0 includes unsafe string reads that potentially allows for remote code execution on the console node. | |
| CVE-2016-7976 | high | 8.8 | 8.8 | 9y ago | The PS Interpreter in Ghostscript 9.18 and 9.20 allows remote attackers to execute arbitrary code via crafted userparams. | |
| CVE-2016-9716 | high | 8.8 | 8.8 | 9y ago | IBM InfoSphere Master Data Management Server 11.0, 11.3, 11.4, 11.5, and 11.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions t… | |
| CVE-2016-9714 | high | 8.8 | 8.8 | 9y ago | IBM InfoSphere Master Data Management Server 10.1, 11.0, 11.3, 11.4, 11.5, and 11.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized act… | |
| CVE-2016-10401 | high | 8.8 | 8.8 | 9y ago | ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access if a non-root account password is known (or a non-root default account exists … | |
| CVE-2016-8493 | high | 8.8 | 8.8 | 9y ago | In FortiClientWindows 5.4.1 and 5.4.2, an attacker may escalate privilege via a FortiClientNamedPipe vulnerability. | |
| CVE-2016-1000218 | high | 8.8 | 8.8 | 9y ago | Kibana Reporting plugin version 2.4.0 is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a specially… | |
| CVE-2016-9984 | high | 8.8 | 8.8 | 9y ago | IBM Maximo Asset Management 7.5 and 7.6 could allow a remote authenticated attacker to execute arbitrary commands on the system as administrator. IBM X-Force ID: 120276. | |
| CVE-2016-7830 | high | 8.8 | 8.8 | 9y ago | Sony PCS-XG100, PCS-XG100S, PCS-XG100C, PCS-XG77, PCS-XG77S, PCS-XG77C devices with firmware versions prior to Ver.1.51 and PCS-XC1 devices with firmware version prior to Ver.1.22 allow an attacker o… | |
| CVE-2016-7824 | high | 8.8 | 8.8 | 9y ago | Buffalo NC01WH devices with firmware version 1.0.0.8 and earlier allows authenticated attackers to bypass access restriction to enable the debug option via unspecified vectors. | |
| CVE-2016-7822 | high | 8.8 | 8.8 | 9y ago | Cross-site request forgery (CSRF) vulnerability in Buffalo WNC01WH devices with firmware version 1.0.0.8 and earlier allows remote attackers to hijack the authentication of a logged in user to perfor… | |
| CVE-2016-7811 | high | 8.8 | 8.8 | 9y ago | Corega CG-WLR300NX firmware Ver. 1.20 and earlier allows an attacker on the same network segment to bypass access restriction to perform arbitrary operations via unspecified vectors. | |
| CVE-2016-7809 | high | 8.8 | 8.8 | 9y ago | Cross-site request forgery (CSRF) vulnerability in Corega CG-WLR300NX firmware Ver. 1.20 and earlier allows remote attackers to hijack the authentication of logged in user to conduct unintended opera… | |
| CVE-2016-7803 | high | 8.8 | 8.8 | 9y ago | SQL injection vulnerability in the Cybozu Garoon 3.0.0 to 4.2.2 allows remote authenticated attackers to execute arbitrary SQL commands via "MultiReport" function. | |
| CVE-2016-4907 | high | 8.8 | 8.8 | 9y ago | Cybozu Garoon 3.0.0 to 4.2.2 allow remote attackers to obtain CSRF tokens via unspecified vectors. | |
| CVE-2016-4471 | high | 8.8 | 8.8 | 9y ago | ManageIQ in CloudForms before 4.1 allows remote authenticated users to execute arbitrary code. | |
| CVE-2016-9977 | high | 8.8 | 8.8 | 9y ago | IBM Maximo Asset Management 7.1, 7.5, and 7.6 could allow a remote attacker to hijack a user's session, caused by the failure to invalidate an existing session identifier. An attacker could exploit t… | |
| CVE-2016-8229 | high | 8.8 | 8.8 | 9y ago | A cross-site request forgery vulnerability in Lenovo Service Bridge before version 4 could be exploited by an attacker with access to the DHCP server used by the system where LSB is installed. | |
| CVE-2016-10377 | high | 8.8 | 8.8 | 9y ago | In Open vSwitch (OvS) 2.5.0, a malformed IP packet can cause the switch to read past the end of the packet buffer due to an unsigned integer underflow in `lib/flow.c` in the function `miniflow_extrac… | |
| CVE-2016-4977 | high | 8.8 | 8.8 | 9y ago | Spring Security OAuth vulnerable to remote code execution (RCE) via specially crafted request using whitelabel views | |
| CVE-2016-9842 | high | 8.8 | 8.8 | 9y ago | The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers. | |
| CVE-2016-9840 | high | 8.8 | 8.8 | 9y ago | Low: rsync security update | |
| CVE-2016-5177 | high | 8.8 | 8.8 | 9y ago | Use-after-free vulnerability in V8 in Google Chrome before 53.0.2785.143 allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact via unknown vectors. | |
| CVE-2016-6112 | high | 8.8 | 8.8 | 9y ago | IBM Distributed Marketing and Marketing Platform 8.6, 9.0, 9.1, and 10.0 could allow an authenticated user to escalate their privileges and gain administrative permissions over the web application. I… | |
| CVE-2016-4904 | high | 8.8 | 8.8 | 9y ago | Cross-site request forgery (CSRF) vulnerability in WP-OliveCart versions prior to 3.1.3 and WP-OliveCartPro versions prior to 3.1.8 allows remote attackers to hijack the authentication of a user to p… | |
| CVE-2016-4854 | high | 8.8 | 8.8 | 9y ago | Cross-site request forgery (CSRF) vulnerability in L-04D firmware version V10a and V10b allows remote attackers to hijack the authentication of administrators to perform arbitrary operations via unsp… | |
| CVE-2016-3403 | high | 8.8 | 8.8 | 9y ago | Multiple cross-site request forgery (CSRF) vulnerabilities in the Admin Console in Zimbra Collaboration before 8.6.0 Patch 8 allow remote attackers to hijack the authentication of administrators for … | |
| CVE-2016-4887 | high | 8.8 | 8.8 | 9y ago | Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Uploader version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | |
| CVE-2016-4886 | high | 8.8 | 8.8 | 9y ago | Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | |
| CVE-2016-4885 | high | 8.8 | 8.8 | 9y ago | Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Feed version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | |
| CVE-2016-4884 | high | 8.8 | 8.8 | 9y ago | Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | |
| CVE-2016-4882 | high | 8.8 | 8.8 | 9y ago | Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | |
| CVE-2016-4881 | high | 8.8 | 8.8 | 9y ago | CSRF in baserCMS 3.0.10 and earlier | |
| CVE-2016-4879 | high | 8.8 | 8.8 | 9y ago | CSRF in baserCMS 3.0.10 and earlier | |
| CVE-2016-4878 | high | 8.8 | 8.8 | 9y ago | baserCMS Cross Site Request Forgery vulnerability | |
| CVE-2016-4876 | high | 8.8 | 8.8 | 9y ago | Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators to execute arbitrary PHP code via unspeci… | |
| CVE-2016-9092 | high | 8.8 | 8.8 | 9y ago | The Symantec Content Analysis (CA) 1.3, 2.x prior to 2.2.1.1, and Mail Threat Defense (MTD) 1.1 management consoles are susceptible to a cross-site request forging (CSRF) vulnerability. A remote atta… | |
| CVE-2016-5889 | high | 8.8 | 8.8 | 9y ago | IBM Interact 8.6, 9.0, 9.1, and 10.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website t… | |
| CVE-2016-9251 | high | 8.8 | 8.8 | 9y ago | In F5 BIG-IP 12.0.0 through 12.1.2, an authenticated attacker may be able to cause an escalation of privileges through a crafted iControl REST connection. | |
| CVE-2016-8202 | high | 8.8 | 8.8 | 9y ago | A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate t… | |
| CVE-2016-8593 | high | 8.8 | 8.8 | 9y ago | Directory traversal vulnerability in upload.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote authenticated users to execute arbitrary code via a .. (dot dot) in the … | |
| CVE-2016-8592 | high | 8.8 | 8.8 | 9y ago | log_query_system.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote authenticated users to execute arbitrary code as the root user via shell metacharacters in the cach… | |
| CVE-2016-8591 | high | 8.8 | 8.8 | 9y ago | log_query.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote authenticated users to execute arbitrary code as the root user via shell metacharacters in the cache_id pa… | |
| CVE-2016-8590 | high | 8.8 | 8.8 | 9y ago | log_query_dlp.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote authenticated users to execute arbitrary code as the root user via shell metacharacters in the cache_i… | |
| CVE-2016-8589 | high | 8.8 | 8.8 | 9y ago | log_query_dae.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote authenticated users to execute arbitrary code as the root user via shell metacharacters in the cache_i… | |
| CVE-2016-8586 | high | 8.8 | 8.8 | 9y ago | detected_potential_files.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote authenticated users to execute arbitrary code as the root user via shell metacharacters in … | |
| CVE-2016-8585 | high | 8.8 | 8.8 | 9y ago | admin_sys_time.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote authenticated users to execute arbitrary code as the root user via shell metacharacters in the timezo… | |
| CVE-2016-2433 | high | 8.8 | 8.8 | 9y ago | The Broadcom Wi-Fi driver for Android, as used by BlackBerry smartphones before Build AAE570, allows remote attackers to execute arbitrary code in the context of the kernel. | |
| CVE-2016-0720 | high | 8.8 | 8.8 | 9y ago | Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0.9.149. | |
| CVE-2016-5401 | high | 8.8 | 8.8 | 9y ago | Cross-site request forgery (CSRF) vulnerability in Red Hat JBoss BRMS and BPMS 6 allows remote attackers to hijack the authentication of users for requests that modify instances via a crafted web pag… | |
| CVE-2016-3734 | high | 8.8 | 8.8 | 9y ago | Moodle Cross-site request forgery (CSRF) vulnerability | |
| CVE-2016-4862 | high | 8.8 | 8.8 | 9y ago | Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remote authenticated users to execute arbitrary PHP code on the servers. | |
| CVE-2016-1218 | high | 8.8 | 8.8 | 9y ago | SQL injection vulnerability in Cybozu Garoon before 4.2.2. | |
| CVE-2016-4889 | high | 8.8 | 8.8 | 9y ago | ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions. | |
| CVE-2016-7834 | high | 8.8 | 8.8 | 9y ago | SONY SNC-CH115, SNC-CH120, SNC-CH160, SNC-CH220, SNC-CH260, SNC-DH120, SNC-DH120T, SNC-DH160, SNC-DH220, SNC-DH220T, SNC-DH260, SNC-EB520, SNC-EM520, SNC-EM521, SNC-ZB550, SNC-ZM550, SNC-ZM551, SNC-E… | |
| CVE-2016-1914 | high | 8.8 | 8.8 | 9y ago | Multiple SQL injection vulnerabilities in the com.rim.mdm.ui.server.ImageServlet servlet in BlackBerry Enterprise Server 12 (BES12) Self-Service before 12.4 allow remote attackers to execute arbitrar… | |
| CVE-2016-5313 | high | 8.8 | 8.8 | 9y ago | Symantec Web Gateway (SWG) before 5.2.5 allows remote authenticated users to execute arbitrary OS commands. | |
| CVE-2016-4895 | high | 8.8 | 8.8 | 9y ago | SetsucoCMS all versions allows remote authenticated attackers to conduct code injection attacks via unspecified vectors. | |
| CVE-2016-4893 | high | 8.8 | 8.8 | 9y ago | SQL injection vulnerability in the SetsucoCMS all versions allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. | |
| CVE-2016-4891 | high | 8.8 | 8.8 | 9y ago | Cross-site request forgery (CSRF) vulnerability in SetsucoCMS all versions allows remote attackers to hijack the authentication of an administrator to change settings via unspecified vectors. | |
| CVE-2016-8718 | high | 8.8 | 8.8 | 9y ago | An exploitable Cross-Site Request Forgery vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. A specially crafted form can trick a … | |
| CVE-2016-4468 | high | 8.8 | 8.8 | 9y ago | SQL injection vulnerability in Pivotal Cloud Foundry (PCF) before 238; UAA 2.x before 2.7.4.4, 3.x before 3.3.0.2, and 3.4.x before 3.4.1; UAA BOSH before 11.2 and 12.x before 12.2; Elastic Runtime b… | |
| CVE-2016-6811 | high | 8.8 | 8.8 | 9y ago | Insecure Inherited Permissions in Apache Hadoop | |
| CVE-2016-10322 | high | 8.8 | 8.8 | 9y ago | Synology Photo Station before 6.3-2958 allows remote authenticated guest users to execute arbitrary commands via shell metacharacters in the X-Forwarded-For HTTP header to photo/login.php. | |
| CVE-2016-5072 | high | 8.8 | 8.8 | 9y ago | OXID eShop before 2016-06-13 allows remote attackers to execute arbitrary code via a GET or POST request to the oxuser class. Fixed versions are Enterprise Edition v5.1.12, Enterprise Edition v5.2.9,… | |
| CVE-2016-5071 | high | 8.8 | 8.8 | 9y ago | Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 execute the management web application as root. | |
| CVE-2016-5067 | high | 8.8 | 8.8 | 9y ago | Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 allow Hayes AT command injection. | |
| CVE-2016-4319 | high | 8.8 | 8.8 | 9y ago | Atlassian JIRA Server before 7.1.9 has CSRF in auditing/settings. | |
| CVE-2016-1516 | high | 8.8 | 8.8 | 9y ago | Double Free in OpenCV | |
| CVE-2016-7786 | high | 8.8 | 8.8 | 9y ago | Sophos Cyberoam UTM CR25iNG 10.6.3 MR-5 allows remote authenticated users to bypass intended access restrictions via direct object reference, as demonstrated by a request for Licenseinformation.jsp. … | |
| CVE-2016-6100 | high | 8.8 | 8.8 | 9y ago | IBM Disposal and Governance Management for IT and IBM Global Retention Policy and Schedule Management, components of IBM Atlas Policy Suite 6.0.3 is vulnerable to cross-site request forgery which cou… | |
| CVE-2016-10314 | high | 8.8 | 8.8 | 9y ago | Jensen of Scandinavia AS Air:Link 3G (AL3G) version 2.23m (Rev. 3), Air:Link 5000AC (AL5000AC) version 1.13, and Air:Link 59300 (AL59300) version 1.04 (Rev. 4) devices allow remote attackers to read … | |
| CVE-2016-10313 | high | 8.8 | 8.8 | 9y ago | Jensen of Scandinavia AS Air:Link 3G (AL3G) version 2.23m (Rev. 3), Air:Link 5000AC (AL5000AC) version 1.13, and Air:Link 59300 (AL59300) version 1.04 (Rev. 4) devices allow remote attackers to condu… | |
| CVE-2016-8917 | high | 8.8 | 8.8 | 9y ago | IBM Sterling Order Management 9.2 - 9.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the websit… | |
| CVE-2016-2379 | high | 8.8 | 8.8 | 9y ago | The Mxit protocol uses weak encryption when encrypting user passwords, which might allow attackers to (1) decrypt hashed passwords by leveraging knowledge of client registration codes or (2) gain log… | |
| CVE-2016-9456 | high | 8.8 | 8.8 | 9y ago | Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF). The Revive Adserver team conducted a security audit of the admin interface scripts in order to identify and fix other pote… | |
| CVE-2016-9455 | high | 8.8 | 8.8 | 9y ago | Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF). A number of scripts in Revive Adserver's user interface are vulnerable to CSRF attacks: `www/admin/banner-acl.php`, `www/a… | |
| CVE-2016-9127 | high | 8.8 | 8.8 | 9y ago | Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF). The password recovery form in Revive Adserver is vulnerable to CSRF attacks. This vulnerability could be exploited to send… | |
| CVE-2016-8960 | high | 8.8 | 8.8 | 9y ago | IBM Cognos Business Intelligence 10.2 could allow a user with lower privilege Capabilities to adopt the Capabilities of a higher-privilege user by intercepting the higher-privilege user's cookie valu… | |
| CVE-2016-10273 | high | 8.8 | 8.8 | 9y ago | Multiple stack buffer overflow vulnerabilities in Jensen of Scandinavia AS Air:Link 3G (AL3G) version 2.23m (Rev. 3), Air:Link 5000AC (AL5000AC) version 1.13, and Air:Link 59300 (AL59300) version 1.0… | |
| CVE-2016-5758 | high | 8.8 | 8.8 | 9y ago | A cross site request forgery protection mechanism in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be circumvented by repeated uploads causing a high load. | |
| CVE-2016-5750 | high | 8.8 | 8.8 | 9y ago | The certificate upload feature in iManager in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to upload JSP pages that would be executed as the iManager user, allow… | |
| CVE-2016-1597 | high | 8.8 | 8.8 | 9y ago | A logged-in user in NetIQ Access Governance Suite 6.0 through 6.4 could escalate privileges to administrator. |