CVEs from 2022
Total
8,277
critical
critical 88
high
high 1,240
medium
medium 887
low
low 23
% Critical
1.1%
% with KEV
1.6%
% with exploit
1.6%
Top products
- jdk 116
- jre 109
- openjdk 100
- zulu 82
- graalvm 74
- cloud_secure_agent 35
- oncommand_insight 34
- cloud_insights_acquisition_unit 34
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2022-24706 | critical | — | 10.0 | 4y ago | Apache CouchDB contains an insecure default initialization of resource vulnerability which can allow an attacker to escalate to administrative privileges. | |
| CVE-2022-26485 | critical | — | 10.0 | 4y ago | Critical: firefox security update | |
| CVE-2022-0185 | high | — | 9.5 | 2y ago | Important: kernel security and bug fix update | |
| CVE-2022-48503 | high | — | 9.5 | 3y ago | Apple macOS, iOS, tvOS, Safari, and watchOS contain an unspecified vulnerability in JavaScriptCore that when processing web content may lead to arbitrary code execution. The impacted product could be… | |
| CVE-2022-42856 | high | — | 9.5 | 3y ago | Important: webkit2gtk3 security update | |
| CVE-2022-0847 | high | — | 9.5 | 4y ago | Important: kernel security, bug fix, and enhancement update | |
| CVE-2022-1096 | high | — | 9.5 | 4y ago | Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multipl… | |
| CVE-2022-26486 | high | — | 9.5 | 4y ago | Important: thunderbird security update | |
| CVE-2022-2586 | medium | — | 7.0 | 4y ago | Moderate: kernel security, bug fix, and enhancement update | |
| CVE-2022-32893 | medium | — | 7.0 | 4y ago | Moderate: webkit2gtk3 security update | |
| CVE-2022-22620 | medium | — | 7.0 | 4y ago | Moderate: webkit2gtk3 security, bug fix, and enhancement update | |
| CVE-2022-20775 | unknown | — | 1.5 | 3mo ago | Cisco SD-WAN CLI contains a path traversal vulnerability that could allow an authenticated local attacker to gain elevated privileges via improper access controls on commands within the application C… | |
| CVE-2022-37055 | unknown | — | 1.5 | 6mo ago | D-Link Routers contains a buffer overflow vulnerability that has a high impact on confidentiality, integrity, and availability. The impacted products could be end-of-life (EoL) and/or end-of-service … | |
| CVE-2022-40799 | unknown | — | 1.5 | 10mo ago | D-Link DNR-322L contains a download of code without integrity check vulnerability that could allow an authenticated attacker to execute OS level commands on the device. The impacted products could be… | |
| CVE-2022-43769 | unknown | — | 1.5 | 1y ago | Hitachi Vantara Pentaho BA Server contains a special element injection vulnerability that allows an attacker to inject Spring templates into properties files, allowing for arbitrary command execution. | |
| CVE-2022-43939 | unknown | — | 1.5 | 1y ago | Hitachi Vantara Pentaho BA Server contains a use of non-canonical URL paths for authorization decisions vulnerability that enables an attacker to bypass authorization. | |
| CVE-2022-23748 | unknown | — | 1.5 | 1y ago | Dante Discovery contains a process control vulnerability in mDNSResponder.exe that all allows for a DLL sideloading attack. A local attacker can leverage this vulnerability in the Dante Application L… | |
| CVE-2022-23227 | unknown | — | 1.5 | 2y ago | NUUO NVRmini2 devices contain a missing authentication vulnerability that allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users. | |
| CVE-2022-21445 | unknown | — | 1.5 | 2y ago | Oracle ADF Faces library, included with Oracle JDeveloper Distribution, contains a deserialization of untrusted data vulnerability leading to unauthenticated remote code execution. | |
| CVE-2022-22948 | unknown | — | 1.5 | 2y ago | VMware vCenter Server contains an incorrect default file permissions vulnerability that allows a remote, privileged attacker to gain access to sensitive information. | |
| CVE-2022-38028 | unknown | — | 1.5 | 2y ago | Microsoft Windows Print Spooler service contains a privilege escalation vulnerability. An attacker may modify a JavaScript constraints file and execute it with SYSTEM-level permissions. | |
| CVE-2022-48618 | unknown | — | 1.5 | 2y ago | Apple iOS, iPadOS, macOS, tvOS, and watchOS contain a time-of-check/time-of-use (TOCTOU) memory corruption vulnerability that allows an attacker with read and write capabilities to bypass Pointer Aut… | |
| CVE-2022-22071 | unknown | — | 1.5 | 3y ago | Multiple Qualcomm chipsets contain a use-after-free vulnerability when process shell memory is freed using IOCTL munmap call and process initialization is in progress. | |
| CVE-2022-24816 | unknown | — | 1.5 | 3y ago | OSGeo GeoServer JAI-EXT contains a code injection vulnerability that, when programs use jt-jiffle and allow Jiffle script to be provided via network request, could allow remote code execution. | |
| CVE-2022-22265 | unknown | — | 1.5 | 3y ago | Samsung devices with selected Exynos chipsets contain a use-after-free vulnerability that allows malicious memory write and code execution. | |
| CVE-2022-29303 | unknown | — | 1.5 | 3y ago | SolarView Compact contains a command injection vulnerability due to improper validation of input values on the send test mail console of the product's web server. | |
| CVE-2022-31199 | unknown | — | 1.5 | 3y ago | Netwrix Auditor User Activity Video Recording component contains an insecure objection deserialization vulnerability that allows an unauthenticated, remote attacker to execute code as the NT AUTHORIT… | |
| CVE-2022-27926 | unknown | — | 1.5 | 3y ago | Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability by allowing an endpoint URL to accept parameters without sanitizing. | |
| CVE-2022-42948 | unknown | — | 1.5 | 3y ago | Fortra Cobalt Strike User Interface contains an unspecified vulnerability rooted in Java Swing that may allow remote code execution. | |
| CVE-2022-22706 | unknown | — | 1.5 | 3y ago | Arm Mali GPU Kernel Driver contains an unspecified vulnerability that allows a non-privileged user to achieve write access to read-only memory pages. | |
| CVE-2022-3038 | unknown | — | 1.5 | 3y ago | Google Chromium Network Service contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect m… | |
| CVE-2022-39197 | unknown | — | 1.5 | 3y ago | Fortra Cobalt Strike contains a cross-site scripting (XSS) vulnerability in Teamserver that would allow an attacker to set a malformed username in the Beacon configuration, allowing them to execute c… | |
| CVE-2022-38181 | unknown | — | 1.5 | 3y ago | Arm Mali GPU Kernel Driver contains a use-after-free vulnerability that may allow a non-privileged user to gain root privilege and/or disclose information. | |
| CVE-2022-41328 | unknown | — | 1.5 | 3y ago | Fortinet FortiOS contains a path traversal vulnerability that may allow a local privileged attacker to read and write files via crafted CLI commands. | |
| CVE-2022-28810 | unknown | — | 1.5 | 3y ago | Zoho ManageEngine ADSelfService Plus contains an unspecified vulnerability allowing for remote code execution when performing a password change or reset. | |
| CVE-2022-35914 | unknown | — | 1.5 | 3y ago | Teclib GLPI contains a remote code execution vulnerability in the third-party library, htmlawed. | |
| CVE-2022-41223 | unknown | — | 1.5 | 3y ago | The Director component in Mitel MiVoice Connect allows an authenticated attacker with internal network access to execute code within the context of the application. | |
| CVE-2022-47986 | unknown | — | 1.5 | 3y ago | IBM Aspera Faspex could allow a remote attacker to execute code on the system, caused by a YAML deserialization flaw. | |
| CVE-2022-40765 | unknown | — | 1.5 | 3y ago | The Mitel Edge Gateway component of MiVoice Connect allows an authenticated attacker with internal network access to execute commands within the context of the system. | |
| CVE-2022-46169 | unknown | — | 1.5 | 3y ago | Cacti contains a command injection vulnerability that allows an unauthenticated user to execute code. | |
| CVE-2022-24990 | unknown | — | 1.5 | 3y ago | TerraMaster OS contains a remote command execution vulnerability that allows an unauthenticated user to execute commands on the target endpoint. | |
| CVE-2022-21587 | unknown | — | 1.5 | 3y ago | Oracle E-Business Suite contains an unspecified vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. | |
| CVE-2022-47966 | unknown | — | 1.5 | 3y ago | Multiple Zoho ManageEngine products contain an unauthenticated remote code execution vulnerability due to the usage of an outdated third-party dependency, Apache Santuario. | |
| CVE-2022-44877 | unknown | — | 1.5 | 3y ago | CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command injection vulnerability that allows remote attackers to execute commands via shell metacharacters in the login parameter. | |
| CVE-2022-41080 | unknown | — | 1.5 | 3y ago | Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation. This vulnerability is chainable with CVE-2022-41082, which allows for remote code execution. | |
| CVE-2022-27518 | unknown | — | 1.5 | 4y ago | Citrix Application Delivery Controller (ADC) and Gateway, when configured with SAML SP or IdP configuration, contain an authentication bypass vulnerability that allows an attacker to execute code as … | |
| CVE-2022-26501 | unknown | — | 1.5 | 4y ago | The Veeam Distribution Service in the Backup & Replication application allows unauthenticated users to access internal API functions. A remote attacker can send input to the internal API which may le… | |
| CVE-2022-26500 | unknown | — | 1.5 | 4y ago | The Veeam Distribution Service in the Backup & Replication application allows unauthenticated users to access internal API functions. A remote attacker can send input to the internal API which may le… | |
| CVE-2022-42475 | unknown | — | 1.5 | 4y ago | Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary code or commands via specific… | |
| CVE-2022-44698 | unknown | — | 1.5 | 4y ago | Microsoft Defender SmartScreen contains a security feature bypass vulnerability that could allow an attacker to evade Mark of the Web (MOTW) defenses via a specially crafted malicious file. | |
| CVE-2022-4262 | unknown | — | 1.5 | 4y ago | Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multipl… | |
| CVE-2022-4135 | unknown | — | 1.5 | 4y ago | Google Chromium GPU contains a heap buffer overflow vulnerability that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a crafted HTML p… | |
| CVE-2022-41049 | unknown | — | 1.5 | 4y ago | Microsoft Windows Mark of the Web (MOTW) contains a security feature bypass vulnerability resulting in a limited loss of integrity and availability of security features. | |
| CVE-2022-41128 | unknown | — | 1.5 | 4y ago | Microsoft Windows contains an unspecified vulnerability in the JScript9 scripting language which allows for remote code execution. | |
| CVE-2022-41073 | unknown | — | 1.5 | 4y ago | Microsoft Windows Print Spooler contains an unspecified vulnerability that allows an attacker to gain SYSTEM-level privileges. | |
| CVE-2022-41125 | unknown | — | 1.5 | 4y ago | Microsoft Windows Cryptographic Next Generation (CNG) Key Isolation Service contains an unspecified vulnerability that allows an attacker to gain SYSTEM-level privileges. | |
| CVE-2022-41091 | unknown | — | 1.5 | 4y ago | Microsoft Windows Mark of the Web (MOTW) contains a security feature bypass vulnerability resulting in a limited loss of integrity and availability of security features. | |
| CVE-2022-3723 | unknown | — | 1.5 | 4y ago | Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multipl… | |
| CVE-2022-42827 | unknown | — | 1.5 | 4y ago | Apple iOS and iPadOS kernel contain an out-of-bounds write vulnerability which can allow an application to perform code execution with kernel privileges. | |
| CVE-2022-41352 | unknown | — | 1.5 | 4y ago | Synacor Zimbra Collaboration Suite (ZCS) allows an attacker to upload arbitrary files using cpio package to gain incorrect access to any other user accounts. | |
| CVE-2022-41033 | unknown | — | 1.5 | 4y ago | Microsoft Windows COM+ Event System Service contains an unspecified vulnerability that allows for privilege escalation. | |
| CVE-2022-40684 | unknown | — | 1.5 | 4y ago | Fortinet FortiOS, FortiProxy, and FortiSwitchManager contain an authentication bypass vulnerability that could allow an unauthenticated attacker to perform operations on the administrative interface … | |
| CVE-2022-36804 | unknown | — | 1.5 | 4y ago | Multiple API endpoints of Atlassian Bitbucket Server and Data Center contain a command injection vulnerability where an attacker with access to a public Bitbucket repository, or with read permissions… | |
| CVE-2022-41040 | unknown | — | 1.5 | 4y ago | Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution. | |
| CVE-2022-41082 | unknown | — | 1.5 | 4y ago | Microsoft Exchange Server contains an unspecified vulnerability that allows for authenticated remote code execution. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 which … | |
| CVE-2022-3236 | unknown | — | 1.5 | 4y ago | A code injection vulnerability in the User Portal and Webadmin of Sophos Firewall allows for remote code execution. | |
| CVE-2022-35405 | unknown | — | 1.5 | 4y ago | Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unspecified vulnerability that allows for remote code execution. | |
| CVE-2022-40139 | unknown | — | 1.5 | 4y ago | Trend Micro Apex One and Apex One as a Service contain an improper validation of rollback mechanism components that could lead to remote code execution. | |
| CVE-2022-32917 | unknown | — | 1.5 | 4y ago | Apple kernel, which is included in iOS, iPadOS, and macOS, contains an unspecified vulnerability where an application may be able to execute code with kernel privileges. | |
| CVE-2022-37969 | unknown | — | 1.5 | 4y ago | Microsoft Windows Common Log File System (CLFS) driver contains an unspecified vulnerability that allows for privilege escalation. | |
| CVE-2022-3075 | unknown | — | 1.5 | 4y ago | Google Chromium Mojo contains an insufficient data validation vulnerability that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a craf… | |
| CVE-2022-27593 | unknown | — | 1.5 | 4y ago | Certain QNAP NAS running Photo Station with internet exposure contain an externally controlled reference to a resource vulnerability which can allow an attacker to modify system files. This vulnerabi… | |
| CVE-2022-26258 | unknown | — | 1.5 | 4y ago | D-Link DIR-820L contains an unspecified vulnerability in Device Name parameter in /lan.asp which allows for remote code execution. | |
| CVE-2022-36537 | unknown | — | 1.5 | 4y ago | ZK Framework AuUploader servlets contain an unspecified vulnerability that could allow an attacker to retrieve the content of a file located in the web context. The ZK Framework is an open-source Jav… | |
| CVE-2022-24112 | unknown | — | 1.5 | 4y ago | Apache APISIX contains an authentication bypass vulnerability that allows for remote code execution. | |
| CVE-2022-2294 | unknown | — | 1.5 | 4y ago | WebRTC, an open-source project providing web browsers with real-time communication, contains a heap buffer overflow vulnerability that allows an attacker to perform shellcode execution. This vulnerab… | |
| CVE-2022-26352 | unknown | — | 1.5 | 4y ago | dotCMS ContentResource API contains an unrestricted upload of file with a dangerous type vulnerability that allows for directory traversal, in which the file is saved outside of the intended storage … | |
| CVE-2022-0028 | unknown | — | 1.5 | 4y ago | A Palo Alto Networks PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks. | |
| CVE-2022-21971 | unknown | — | 1.5 | 4y ago | Microsoft Windows Runtime contains an unspecified vulnerability that allows for remote code execution. | |
| CVE-2022-2856 | unknown | — | 1.5 | 4y ago | Google Chromium Intents contains an insufficient validation of untrusted input vulnerability that allows a remote attacker to browse to a malicious website via a crafted HTML page. This vulnerability… | |
| CVE-2022-32894 | unknown | — | 1.5 | 4y ago | Apple iOS and macOS contain an out-of-bounds write vulnerability that could allow an application to execute code with kernel privileges. | |
| CVE-2022-26923 | unknown | — | 1.5 | 4y ago | An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow for privilege escalati… | |
| CVE-2022-22536 | unknown | — | 1.5 | 4y ago | SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server and SAP Web Dispatcher allow HTTP request smuggling. An unauthenticated attacker can pr… | |
| CVE-2022-27925 | unknown | — | 1.5 | 4y ago | Synacor Zimbra Collaboration Suite (ZCS) contains flaw in the mboximport functionality, allowing an authenticated attacker to upload arbitrary files to perform remote code execution. This vulnerabili… | |
| CVE-2022-37042 | unknown | — | 1.5 | 4y ago | Synacor Zimbra Collaboration Suite (ZCS) contains an authentication bypass vulnerability in MailboxImportServlet. This vulnerability was chained with CVE-2022-27925 which allows for unauthenticated r… | |
| CVE-2022-34713 | unknown | — | 1.5 | 4y ago | A remote code execution vulnerability exists when Microsoft Windows MSDT is called using the URL protocol from a calling application. | |
| CVE-2022-30333 | unknown | — | 1.5 | 4y ago | RARLAB UnRAR on Linux and UNIX contains a directory traversal vulnerability, allowing an attacker to write to files during an extract (unpack) operation. | |
| CVE-2022-27924 | unknown | — | 1.5 | 4y ago | Synacor Zimbra Collaboration Suite (ZCS) allows an attacker to inject memcache commands into a targeted instance which causes an overwrite of arbitrary cached entries. | |
| CVE-2022-26138 | unknown | — | 1.5 | 4y ago | Atlassian Questions For Confluence App has hard-coded credentials, exposing the username and password in plaintext. A remote unauthenticated attacker can use these credentials to log into Confluence … | |
| CVE-2022-33891 | unknown | — | 1.5 | 4y ago | The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or m… | |
| CVE-2022-22047 | unknown | — | 1.5 | 4y ago | Microsoft Windows CSRSS contains an unspecified vulnerability that allows for privilege escalation to SYSTEM privileges. | |
| CVE-2022-26925 | unknown | — | 1.5 | 4y ago | Microsoft Windows Local Security Authority (LSA) contains a spoofing vulnerability where an attacker can coerce the domain controller to authenticate to the attacker using NTLM. | |
| CVE-2022-29499 | unknown | — | 1.5 | 4y ago | The Service Appliance component in Mitel MiVoice Connect allows remote code execution due to incorrect data validation. | |
| CVE-2022-30190 | unknown | — | 1.5 | 4y ago | A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run code … | |
| CVE-2022-26134 | unknown | — | 1.5 | 4y ago | Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code execution. | |
| CVE-2022-20821 | unknown | — | 1.5 | 4y ago | Cisco IOS XR software health check opens TCP port 6379 by default on activation. An attacker can connect to the Redis instance on the open port and allow access to the Redis instance that is running … | |
| CVE-2022-30525 | unknown | — | 1.5 | 4y ago | A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device. | |
| CVE-2022-1388 | unknown | — | 1.5 | 4y ago | F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, or disabling services. | |
| CVE-2022-26904 | unknown | — | 1.5 | 4y ago | Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation. | |
| CVE-2022-29464 | unknown | — | 1.5 | 4y ago | Multiple WSO2 products allow for unrestricted file upload, resulting in remote code execution. |