CVEs from 2020

3,974 normalized CVEs published or assigned in this year.

Total

3,974

critical

critical 184

high

high 576

medium

medium 738

low

low 59

% Critical

4.6%

% with KEV

3.7%

% with exploit

5.1%

Top vendors

Top packages

PyPI/tensorflow-cpu 146
PyPI/tensorflow-gpu 146
PyPI/tensorflow 146
Packagist/drupal/core 67
PyPI/salt 64
PyPI/ansible 61
Packagist/magento/community-edition 61
Maven/com.fasterxml.jackson.core:jackson-databind 55

critical high medium low unknown

KEV Has exploit

Reset

CVE	Severity	CVSS	Risk	Published	Description
CVE-2020-13921	unknown	—	—	6y ago	SQL Injection in Apache SkyWalking
CVE-2020-11994	unknown	—	—	6y ago	Server side template injection in Apache Camel
CVE-2020-1937	unknown	—	—	6y ago	SQL Injection in Kylin
CVE-2020-13926	unknown	—	—	6y ago	SQL Injection in Kylin
CVE-2020-13925	unknown	—	—	6y ago	Command Injection in Kylin
CVE-2020-15231	unknown	—	—	6y ago	XSS in Mapfish Print relating to JSONP support
CVE-2020-15232	unknown	—	—	6y ago	XXE attack in Mapfish Print
CVE-2020-15087	unknown	—	—	6y ago	Privilege escalation in Presto
CVE-2020-14061	unknown	—	—	6y ago	Deserialization of untrusted data in Jackson Databind
CVE-2020-14195	unknown	—	—	6y ago	Deserialization of untrusted data in Jackson Databind
CVE-2020-11612	unknown	—	—	6y ago	Denial of Service in Netty
CVE-2020-5408	unknown	—	—	6y ago	Insufficient Entropy in Spring Security
CVE-2020-7226	unknown	—	—	6y ago	Denial of Service in Cryptacular
CVE-2020-10683	unknown	—	—	6y ago	dom4j allows External Entities by default which might enable XXE attacks
CVE-2020-5407	unknown	—	—	6y ago	Signature wrapping vulnerability in Spring Security
CVE-2020-5405	unknown	—	—	6y ago	Directory traversal attack in Spring Cloud Config
CVE-2020-1963	unknown	—	—	6y ago	File system access via H2 in Apache Ignite
CVE-2020-11973	unknown	—	—	6y ago	Apache Camel Netty enables Java deserialization by default
CVE-2020-1941	unknown	—	—	6y ago	Apache ActiveMQ webconsole admin GUI is open to XSS
CVE-2020-5529	unknown	—	—	6y ago	Code execution vulnerability in HtmlUnit
CVE-2020-1953	unknown	—	—	6y ago	Remote code execution in Apache Commons Configuration
CVE-2020-10968	unknown	—	—	6y ago	jackson-databind mishandles the interaction between serialization gadgets and typing
CVE-2020-11111	unknown	—	—	6y ago	jackson-databind mishandles the interaction between serialization gadgets and typing
CVE-2020-7647	unknown	—	—	6y ago	path traversal in Jooby
CVE-2020-11050	unknown	—	—	6y ago	Improper Validation of Certificate with Host Mismatch in Java-WebSocket
CVE-2020-1929	unknown	—	—	6y ago	Improper Certificate Validation in Apache Beam
CVE-2020-11009	unknown	—	—	6y ago	IDOR can reveal execution data and logs to unauthorized user in Rundeck
CVE-2020-10969	unknown	—	—	6y ago	jackson-databind mishandles the interaction between serialization gadgets and typing
CVE-2020-11620	unknown	—	—	6y ago	jackson-databind mishandles the interaction between serialization gadgets and typing
CVE-2020-11007	unknown	—	—	6y ago	Negative charge in shopping cart in Shopizer
CVE-2020-1728	unknown	—	—	6y ago	Improper Restriction of Rendered UI Layers or Frames in Keycloak
CVE-2020-1731	unknown	—	—	6y ago	Predictable password in Keycloak
CVE-2020-1697	unknown	—	—	6y ago	XSS in Keycloak
CVE-2020-10203	unknown	—	—	6y ago	Persistent Cross-Site scripting in Nexus Repository Manager
CVE-2020-10204	unknown	—	—	6y ago	Remote Code Execution - JavaEL Injection (low privileged accounts) in Nexus Repository Manager
CVE-2020-11002	unknown	—	—	6y ago	Remote Code Execution (RCE) vulnerability in dropwizard-validation
CVE-2020-7622	unknown	—	—	6y ago	Improper Neutralization of CRLF Sequences in HTTP Headers in Jooby ('HTTP Response Splitting)
CVE-2020-5497	unknown	—	—	6y ago	XSS in MITREid Connect
CVE-2020-7611	unknown	—	—	6y ago	Micronaut's HTTP client is vulnerable to HTTP Request Header Injection
CVE-2020-5289	unknown	—	—	6y ago	Read permissions not enforced for client provided filter expressions in Elide.
CVE-2020-5275	unknown	—	—	6y ago	In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides …
CVE-2020-5274	unknown	—	—	6y ago	In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even …
CVE-2020-5255	unknown	—	—	6y ago	In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the r…
CVE-2020-5280	unknown	—	—	6y ago	Local file inclusion vulnerability in http4s
CVE-2020-6858	unknown	—	—	6y ago	HTTP Response Splitting in Styx
CVE-2020-5245	unknown	—	—	6y ago	Remote Code Execution (RCE) vulnerability in dropwizard-validation
CVE-2020-7238	unknown	—	—	6y ago	HTTP Request Smuggling in Netty
CVE-2020-1925	unknown	—	—	6y ago	Server-Side Request Forgery (SSRF) in Apache Olingo
CVE-2020-5228	unknown	—	—	6y ago	Unauthenticated Access Via OAI-PMH
CVE-2020-5229	unknown	—	—	6y ago	Password Hashing: Do not use MD5
CVE-2020-5230	unknown	—	—	6y ago	Unsafe Identifiers in Opencast
CVE-2020-5222	unknown	—	—	6y ago	Hard-Coded Key Used For Remember-me Token in Opencast
CVE-2020-5231	unknown	—	—	6y ago	Users with ROLE_COURSE_ADMIN can create new users in Opencast
CVE-2020-5206	unknown	—	—	6y ago	Authentication Bypass For Endpoints With Anonymous Access in Opencast
CVE-2020-5207	unknown	—	—	6y ago	Request smuggling is possible when both chunked TE and content length specified
CVE-2020-5397	unknown	—	—	6y ago	CSRF attack via CORS preflight requests with Spring MVC or Spring WebFlux
CVE-2020-5398	unknown	—	—	6y ago	RFD attack via Content-Disposition header sourced from request input by Spring MVC or Spring WebFlux Application

CVEs from 2020

Top vendors

Top products

Top packages