CVEs from 2022
Total
5,373
critical
critical 88
high
high 1,220
medium
medium 938
low
low 24
% Critical
1.6%
% with KEV
2.4%
% with exploit
3.3%
Top vendors
Top products
- jdk 116
- jre 109
- openjdk 100
- zulu 82
- graalvm 74
- cloud_secure_agent 35
- oncommand_insight 34
- cloud_insights_acquisition_unit 34
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-50970 | medium | 5.4 | 5.4 | 22d ago | WordPress Plugin AAWP 3.16 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the tab parameter. Attackers can cra… | |||
| CVE-2022-46840 | medium | 5.4 | 5.4 | 2y ago | Missing Authorization vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JS Help D… | |||
| CVE-2022-45841 | medium | 5.4 | 5.4 | 2y ago | Missing Authorization vulnerability in RoboSoft Robo Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Robo Gallery: from n/a through 3.2.9. | |||
| CVE-2022-38055 | medium | 5.4 | 5.4 | 2y ago | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpForo Forum allows Content Spoofing.This issue affects wpForo Forum: from n/a through 2.0… | |||
| CVE-2022-40975 | medium | 5.4 | 5.4 | 2y ago | Missing Authorization vulnerability in Aazztech Post Slider.This issue affects Post Slider: from n/a through 1.6.7. | |||
| CVE-2022-45851 | medium | 5.4 | 5.4 | 2y ago | Missing Authorization vulnerability in ShareThis ShareThis Dashboard for Google Analytics.This issue affects ShareThis Dashboard for Google Analytics: from n/a through 3.1.4. | |||
| CVE-2022-45351 | medium | 5.4 | 5.4 | 2y ago | Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a through 26.6.1. | |||
| CVE-2022-45839 | medium | 5.4 | 5.4 | 3y ago | Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in WHA WHA Puzzle plugin <= 1.0.9 versions. | |||
| CVE-2022-45804 | medium | 5.4 | 5.4 | 3y ago | Cross-Site Request Forgery (CSRF) vulnerability in RoboSoft Photo Gallery, Images, Slider in Rbs Image Gallery plugin <= 3.2.9 leading to galleries hierarchy change, included plugin deactivate & acti… | |||
| CVE-2022-45091 | medium | 5.4 | 5.4 | 3y ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Group Arge Energy and Control Systems Smartpower Web allows Cross-Site Scripting (XSS). This iss… | |||
| CVE-2022-45086 | medium | 5.4 | 5.4 | 3y ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Group Arge Energy and Control Systems Smartpower Web allows Cross-Site Scripting (XSS). This issu… | |||
| CVE-2022-4554 | medium | 5.4 | 5.4 | 3y ago | B2B Customer Ordering System developed by ID Software Project and Consultancy Services before version 1.0.0.347 has an authenticated Reflected XSS vulnerability. This has been fixed in the version 1.… | |||
| CVE-2022-44590 | medium | 5.4 | 5.4 | 4y ago | Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in James Lao's Simple Video Embedder plugin <= 2.2 on WordPress. | |||
| CVE-2022-36404 | medium | 5.4 | 5.4 | 4y ago | Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in David Cole Simple SEO (WordPress plugin) plugin <= 1.8.12 versions. | |||
| CVE-2022-0900 | medium | 5.4 | 5.4 | 4y ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NetDataSoft DivvyDrive allows Stored XSS. This issue affects DivvyDrive: from unspecified before… | |||
| CVE-2022-26523 | medium | 5.3 | 5.3 | 24d ago | The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service… | |||
| CVE-2022-47601 | medium | 5.3 | 5.3 | 1y ago | Missing Authorization vulnerability in JoomUnited WP Table Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Table Manager: from n/a through 3.5.2. | |||
| CVE-2022-47429 | medium | 5.3 | 5.3 | 2y ago | Missing Authorization vulnerability in 8Degree Themes Coming Soon Landing Page and Maintenance Mode WordPress Plugin allows Retrieve Embedded Sensitive Data.This issue affects Coming Soon Landing Pag… | |||
| CVE-2022-47182 | medium | 5.3 | 5.3 | 2y ago | Missing Authorization vulnerability in Wpexpertsio APIExperts Square for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects APIExperts Square for W… | |||
| CVE-2022-46846 | medium | 5.3 | 5.3 | 2y ago | Missing Authorization vulnerability in WP OnlineSupport, Essential Plugin Trending/Popular Post Slider and Widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue af… | |||
| CVE-2022-44578 | medium | 5.3 | 5.3 | 2y ago | Missing Authorization vulnerability in Pierre JEHAN Owl Carousel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Owl Carousel: from n/a through 0.5.3. | |||
| CVE-2022-44595 | medium | 5.3 | 5.3 | 2y ago | Improper Authentication vulnerability in Melapress WP 2FA allows Authentication Bypass.This issue affects WP 2FA: from n/a through 2.2.0. | |||
| CVE-2022-21626 | medium | 5.3 | 5.3 | 4y ago | RHSA-2023:0128: java-1.8.0-ibm security update (Moderate) | |||
| CVE-2022-21618 | medium | 5.3 | 5.3 | 4y ago | RHSA-2022:7012: java-11-openjdk security and bug fix update (Moderate) | |||
| CVE-2022-21540 | medium | 5.3 | 5.3 | 4y ago | RHSA-2022:5726: java-17-openjdk security, bug fix, and enhancement update (Important) | |||
| CVE-2022-21549 | medium | 5.3 | 5.3 | 4y ago | RHSA-2022:5726: java-17-openjdk security, bug fix, and enhancement update (Important) | |||
| CVE-2022-21366 | medium | 5.3 | 5.3 | 4y ago | RHSA-2022:0185: java-11-openjdk security update (Moderate) | |||
| CVE-2022-21360 | medium | 5.3 | 5.3 | 4y ago | RHSA-2022:0970: java-1.8.0-ibm security update (Moderate) | |||
| CVE-2022-21341 | medium | 5.3 | 5.3 | 4y ago | RHSA-2022:0970: java-1.8.0-ibm security update (Moderate) | |||
| CVE-2022-21340 | medium | 5.3 | 5.3 | 4y ago | RHSA-2022:0970: java-1.8.0-ibm security update (Moderate) | |||
| CVE-2022-21305 | medium | 5.3 | 5.3 | 4y ago | RHSA-2022:0307: java-1.8.0-openjdk security and bug fix update (Moderate) | |||
| CVE-2022-21299 | medium | 5.3 | 5.3 | 4y ago | RHSA-2022:0307: java-1.8.0-openjdk security and bug fix update (Moderate) | |||
| CVE-2022-21296 | medium | 5.3 | 5.3 | 4y ago | RHSA-2022:0307: java-1.8.0-openjdk security and bug fix update (Moderate) | |||
| CVE-2022-21294 | medium | 5.3 | 5.3 | 4y ago | RHSA-2022:0970: java-1.8.0-ibm security update (Moderate) | |||
| CVE-2022-21293 | medium | 5.3 | 5.3 | 4y ago | RHSA-2022:0970: java-1.8.0-ibm security update (Moderate) | |||
| CVE-2022-21291 | medium | 5.3 | 5.3 | 4y ago | RHSA-2022:0185: java-11-openjdk security update (Moderate) | |||
| CVE-2022-21283 | medium | 5.3 | 5.3 | 4y ago | RHSA-2022:0307: java-1.8.0-openjdk security and bug fix update (Moderate) | |||
| CVE-2022-21282 | medium | 5.3 | 5.3 | 4y ago | RHSA-2022:0307: java-1.8.0-openjdk security and bug fix update (Moderate) | |||
| CVE-2022-21277 | medium | 5.3 | 5.3 | 4y ago | RHSA-2022:0185: java-11-openjdk security update (Moderate) | |||
| CVE-2022-40211 | medium | 4.8 | 4.8 | 2y ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GiveWP allows Stored XSS.This issue affects GiveWP: from n/a through 2.25.1. | |||
| CVE-2022-44629 | medium | 4.8 | 4.8 | 3y ago | Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Catalyst Connect Catalyst Connect Zoho CRM Client Portal plugin <= 2.0.0 versions. | |||
| CVE-2022-47436 | medium | 4.8 | 4.8 | 3y ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MantraBrain Yatra allows Stored XSS.This issue affects Yatra: from n/a through 2.1.14. | |||
| CVE-2022-43480 | medium | 4.8 | 4.8 | 3y ago | Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Magneticlab Sàrl Homepage Pop-up plugin <= 1.2.5 versions. | |||
| CVE-2022-32537 | medium | 4.8 | 4.8 | 4y ago | A vulnerability exists which could allow an unauthorized user to learn aspects of the communication protocol used to pair system components while the pump is being paired with other system components… | |||
| CVE-2022-44628 | medium | 4.8 | 4.8 | 4y ago | Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in JumpDEMAND Inc. 4ECPS Web Forms plugin <= 0.2.17 on WordPress. | |||
| CVE-2022-41656 | medium | 4.3 | 4.3 | 5d ago | Missing Authorization vulnerability in Bizswoop Account Manager for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Account Manager for WooCom… | |||
| CVE-2022-50955 | medium | 4.3 | 4.3 | 22d ago | WordPress Plugin Curtain 1.0.2 contains a cross-site request forgery vulnerability that allows attackers to activate or deactivate site maintenance mode by crafting malicious requests. Attackers can … | |||
| CVE-2022-47176 | medium | 4.3 | 4.3 | 2y ago | Missing Authorization vulnerability in Depicter Slider and Popup by Averta Depicter Slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Depicter Slider: … | |||
| CVE-2022-47168 | medium | 4.3 | 4.3 | 2y ago | Missing Authorization vulnerability in printful Printful Integration for WooCommerce printful-shipping-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This iss… | |||
| CVE-2022-46811 | medium | 4.3 | 4.3 | 2y ago | Missing Authorization vulnerability in VillaTheme(villatheme.com) ALD – Dropshipping and Fulfillment for AliExpress and WooCommerce allows Exploiting Incorrectly Configured Access Control Security Le… | |||
| CVE-2022-46807 | medium | 4.3 | 4.3 | 2y ago | Missing Authorization vulnerability in Lauri Karisola / WP Trio Stock Sync for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Stock Sync for Wo… | |||
| CVE-2022-43472 | medium | 4.3 | 4.3 | 2y ago | Missing Authorization vulnerability in StylemixThemes eRoom – Zoom Meetings & Webinar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects eRoom – Zoom Meetings … | |||
| CVE-2022-47604 | medium | 4.3 | 4.3 | 2y ago | Missing Authorization vulnerability in junkcoder, ristoniinemets AJAX Thumbnail Rebuild.This issue affects AJAX Thumbnail Rebuild: from n/a through 1.13. | |||
| CVE-2022-45352 | medium | 4.3 | 4.3 | 2y ago | Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a through 26.6.1. | |||
| CVE-2022-45349 | medium | 4.3 | 4.3 | 2y ago | Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a through 26.6.1. | |||
| CVE-2022-40702 | medium | 4.3 | 4.3 | 2y ago | Missing Authorization vulnerability in Zorem Advanced Local Pickup for WooCommerce.This issue affects Advanced Local Pickup for WooCommerce: from n/a through 1.5.2. | |||
| CVE-2022-40219 | medium | 4.3 | 4.3 | 4y ago | Cross-Site Request Forgery (CSRF) vulnerability in SedLex FavIcon Switcher plugin <= 1.2.11 at WordPress allows plugin settings change. | |||
| CVE-2022-43769 | unknown | — | 2.5 | 1y ago | Hitachi Vantara Pentaho BA Server contains a special element injection vulnerability that allows an attacker to inject Spring templates into properties files, allowing for arbitrary command execution. | |||
| CVE-2022-43939 | unknown | — | 2.5 | 1y ago | Hitachi Vantara Pentaho BA Server contains a use of non-canonical URL paths for authorization decisions vulnerability that enables an attacker to bypass authorization. | |||
| CVE-2022-22948 | unknown | — | 2.5 | 2y ago | VMware vCenter Server contains an incorrect default file permissions vulnerability that allows a remote, privileged attacker to gain access to sensitive information. | |||
| CVE-2022-29303 | unknown | — | 2.5 | 3y ago | SolarView Compact contains a command injection vulnerability due to improper validation of input values on the send test mail console of the product's web server. | |||
| CVE-2022-28810 | unknown | — | 2.5 | 3y ago | Zoho ManageEngine ADSelfService Plus contains an unspecified vulnerability allowing for remote code execution when performing a password change or reset. | |||
| CVE-2022-35914 | unknown | — | 2.5 | 3y ago | Teclib GLPI contains a remote code execution vulnerability in the third-party library, htmlawed. | |||
| CVE-2022-47986 | unknown | — | 2.5 | 3y ago | IBM Aspera Faspex could allow a remote attacker to execute code on the system, caused by a YAML deserialization flaw. | |||
| CVE-2022-46169 | unknown | — | 2.5 | 3y ago | Cacti contains a command injection vulnerability that allows an unauthenticated user to execute code. | |||
| CVE-2022-24990 | unknown | — | 2.5 | 3y ago | TerraMaster OS contains a remote command execution vulnerability that allows an unauthenticated user to execute commands on the target endpoint. | |||
| CVE-2022-21587 | unknown | — | 2.5 | 3y ago | Oracle E-Business Suite contains an unspecified vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. | |||
| CVE-2022-47966 | unknown | — | 2.5 | 3y ago | Multiple Zoho ManageEngine products contain an unauthenticated remote code execution vulnerability due to the usage of an outdated third-party dependency, Apache Santuario. | |||
| CVE-2022-44877 | unknown | — | 2.5 | 3y ago | CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command injection vulnerability that allows remote attackers to execute commands via shell metacharacters in the login parameter. | |||
| CVE-2022-41352 | unknown | — | 2.5 | 4y ago | Synacor Zimbra Collaboration Suite (ZCS) allows an attacker to upload arbitrary files using cpio package to gain incorrect access to any other user accounts. | |||
| CVE-2022-40684 | unknown | — | 2.5 | 4y ago | Fortinet FortiOS, FortiProxy, and FortiSwitchManager contain an authentication bypass vulnerability that could allow an unauthenticated attacker to perform operations on the administrative interface … | |||
| CVE-2022-41082 | unknown | — | 2.5 | 4y ago | Microsoft Exchange Server contains an unspecified vulnerability that allows for authenticated remote code execution. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 which … | |||
| CVE-2022-36804 | unknown | — | 2.5 | 4y ago | Multiple API endpoints of Atlassian Bitbucket Server and Data Center contain a command injection vulnerability where an attacker with access to a public Bitbucket repository, or with read permissions… | |||
| CVE-2022-41040 | unknown | — | 2.5 | 4y ago | Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution. | |||
| CVE-2022-35405 | unknown | — | 2.5 | 4y ago | Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unspecified vulnerability that allows for remote code execution. | |||
| CVE-2022-26352 | unknown | — | 2.5 | 4y ago | dotCMS ContentResource API contains an unrestricted upload of file with a dangerous type vulnerability that allows for directory traversal, in which the file is saved outside of the intended storage … | |||
| CVE-2022-24112 | unknown | — | 2.5 | 4y ago | Apache APISIX contains an authentication bypass vulnerability that allows for remote code execution. | |||
| CVE-2022-22536 | unknown | — | 2.5 | 4y ago | SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server and SAP Web Dispatcher allow HTTP request smuggling. An unauthenticated attacker can pr… | |||
| CVE-2022-26923 | unknown | — | 2.5 | 4y ago | An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow for privilege escalati… | |||
| CVE-2022-37042 | unknown | — | 2.5 | 4y ago | Synacor Zimbra Collaboration Suite (ZCS) contains an authentication bypass vulnerability in MailboxImportServlet. This vulnerability was chained with CVE-2022-27925 which allows for unauthenticated r… | |||
| CVE-2022-27925 | unknown | — | 2.5 | 4y ago | Synacor Zimbra Collaboration Suite (ZCS) contains flaw in the mboximport functionality, allowing an authenticated attacker to upload arbitrary files to perform remote code execution. This vulnerabili… | |||
| CVE-2022-30333 | unknown | — | 2.5 | 4y ago | RARLAB UnRAR on Linux and UNIX contains a directory traversal vulnerability, allowing an attacker to write to files during an extract (unpack) operation. | |||
| CVE-2022-33891 | unknown | — | 2.5 | 4y ago | Apache Spark contains a command injection vulnerability via Spark User Interface (UI) when Access Control Lists (ACLs) are enabled. | |||
| CVE-2022-30190 | unknown | — | 2.5 | 4y ago | A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run code … | |||
| CVE-2022-26134 | unknown | — | 2.5 | 4y ago | Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code execution. | |||
| CVE-2022-30525 | unknown | — | 2.5 | 4y ago | A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device. | |||
| CVE-2022-1388 | unknown | — | 2.5 | 4y ago | F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, or disabling services. | |||
| CVE-2022-26904 | unknown | — | 2.5 | 4y ago | Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2022-29464 | unknown | — | 2.5 | 4y ago | Multiple WSO2 products allow for unrestricted file upload, resulting in remote code execution. | |||
| CVE-2022-22960 | unknown | — | 2.5 | 4y ago | VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. | |||
| CVE-2022-22954 | unknown | — | 2.5 | 4y ago | VMware Workspace ONE Access and Identity Manager allow for remote code execution due to server-side template injection. | |||
| CVE-2022-22963 | unknown | — | 2.5 | 4y ago | When using routing functionality in VMware Tanzu's Spring Cloud Function, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code executio… | |||
| CVE-2022-22965 | unknown | — | 2.5 | 4y ago | Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. | |||
| CVE-2022-1040 | unknown | — | 2.5 | 4y ago | An authentication bypass vulnerability in User Portal and Webadmin of Sophos Firewall allows for remote code execution. | |||
| CVE-2022-0543 | unknown | — | 2.5 | 4y ago | Redis is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution. | |||
| CVE-2022-21999 | unknown | — | 2.5 | 4y ago | Microsoft Windows Print Spooler contains an unspecified vulnerability which can allow for privilege escalation. | |||
| CVE-2022-26318 | unknown | — | 2.5 | 4y ago | On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code. | |||
| CVE-2022-22947 | unknown | — | 2.5 | 4y ago | Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. | |||
| CVE-2022-20699 | unknown | — | 2.5 | 4y ago | A vulnerability in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code elevate privileges, execute arbitrary … | |||
| CVE-2022-21882 | unknown | — | 2.5 | 4y ago | Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation. |