CVEs from 2024
Total
9,429
critical
critical 114
high
high 1,043
medium
medium 1,991
low
low 40
% Critical
1.2%
% with KEV
1.7%
% with exploit
1.7%
Top vendors
Top products
- checkmk 10
- office 8
- profilegrid 8
- office_long_term_servicing_channel 6
- glibc 5
- virtual_traffic_manager 5
- element_pack 5
- propertyhive 5
Top packages
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2024-35845 | critical | 9.1 | 9.1 | 2y ago | Important: kernel security and bug fix update | |
| CVE-2024-35960 | critical | 9.1 | 9.1 | 2y ago | Important: kernel security and bug fix update | |
| CVE-2024-34416 | critical | 9.1 | 9.1 | 2y ago | Unrestricted Upload of File with Dangerous Type vulnerability in Pk Favicon Manager.This issue affects Pk Favicon Manager: from n/a through 2.1. | |
| CVE-2024-27053 | critical | 9.1 | 9.1 | 2y ago | In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: fix RCU usage in connect path With lockdep enabled, calls to the connect function from cfg802.11 layer lead to th… | |
| CVE-2024-31266 | critical | 9.1 | 9.1 | 2y ago | Improper Control of Generation of Code ('Code Injection') vulnerability in AlgolPlus Advanced Order Export For WooCommerce allows Code Injection.This issue affects Advanced Order Export For WooCommer… | |
| CVE-2024-32954 | critical | 9.1 | 9.1 | 2y ago | Unrestricted Upload of File with Dangerous Type vulnerability in Tribulant Newsletters.This issue affects Newsletters: from n/a through 4.9.5. | |
| CVE-2024-32948 | critical | 9.1 | 9.1 | 2y ago | Missing Authorization vulnerability in Repute Infosystems ARMember.This issue affects ARMember: from n/a through 4.0.28. | |
| CVE-2024-31345 | critical | 9.1 | 9.1 | 2y ago | Unrestricted Upload of File with Dangerous Type vulnerability in Sukhchain Singh Auto Poster.This issue affects Auto Poster: from n/a through 1.2. | |
| CVE-2024-31114 | critical | 9.1 | 9.1 | 2y ago | Unrestricted Upload of File with Dangerous Type vulnerability in biplob018 Shortcode Addons.This issue affects Shortcode Addons: from n/a through 3.2.5. | |
| CVE-2024-2890 | critical | 9.1 | 9.1 | 2y ago | Unrestricted Upload of File with Dangerous Type vulnerability in Tumult Inc. Tumult Hype Animations.This issue affects Tumult Hype Animations: from n/a through 1.9.12. | |
| CVE-2024-3596 | critical | 9.0 | 9.0 | 2y ago | Important: freeradius security update | |
| CVE-2024-22144 | critical | 9.0 | 9.0 | 2y ago | Improper Control of Generation of Code ('Code Injection') vulnerability in Eli Scheetz Anti-Malware Security and Brute-Force Firewall gotmls allows Code Injection.This issue affects Anti-Malware Secu… | |
| CVE-2024-30227 | critical | 9.0 | 9.0 | 2y ago | Deserialization of Untrusted Data vulnerability in INFINITUM FORM Geo Controller.This issue affects Geo Controller: from n/a through 8.6.4. | |
| CVE-2024-30226 | critical | 9.0 | 9.0 | 2y ago | Deserialization of Untrusted Data vulnerability in WPDeveloper BetterDocs.This issue affects BetterDocs: from n/a through 3.3.3. | |
| CVE-2024-31265 | low | 3.7 | 3.7 | 2y ago | Cross-Site Request Forgery (CSRF) vulnerability in SumoMe Sumo.This issue affects Sumo: from n/a through 1.34. | |
| CVE-2024-7083 | low | 3.5 | 3.5 | 1mo ago | The Email Encoder WordPress plugin before 2.3.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks… | |
| CVE-2024-6006 | low | 3.5 | 3.5 | 2y ago | A vulnerability was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Summer Schedule Handler. The … | |
| CVE-2024-6005 | low | 3.5 | 3.5 | 2y ago | A vulnerability was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Department Section. … | |
| CVE-2024-6807 | low | 3.4 | 3.4 | 2y ago | A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /sscdms/cla… | |
| CVE-2024-50044 | low | 3.3 | 3.3 | 1y ago | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change rfcomm_sk_state_change attempts to use sock_lock so it must ne… | |
| CVE-2024-35935 | low | 3.3 | 3.3 | 2y ago | In the Linux kernel, the following vulnerability has been resolved: btrfs: send: handle path ref underflow in header iterate_inode_ref() Change BUG_ON to proper error handling if building the path … | |
| CVE-2024-28085 | low | 3.3 | 3.3 | 2y ago | wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from … | |
| CVE-2024-3932 | low | 3.1 | 3.1 | 2y ago | A vulnerability classified as problematic has been found in Totara LMS up to 18.7. This affects an unknown part of the component User Selector. The manipulation leads to cross-site request forgery. I… | |
| CVE-2024-47272 | low | 2.7 | 2.7 | 1d ago | Incorrect authorization vulnerability in IO Module functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to … | |
| CVE-2024-47270 | low | 2.7 | 2.7 | 1d ago | Improper preservation of permissions vulnerability in Archiving Push functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administra… | |
| CVE-2024-47267 | low | 2.7 | 2.7 | 1d ago | Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Archiving Pull functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows … | |
| CVE-2024-10492 | low | 2.7 | 2.7 | 2y ago | Keycloak Path Traversal Vulnerability Due to External Control of File Name or Path | |
| CVE-2024-30507 | low | 2.7 | 2.7 | 2y ago | Authorization Bypass Through User-Controlled Key vulnerability in Molongui.This issue affects Molongui: from n/a through 4.7.7. | |
| CVE-2024-2408 | low | — | 2.5 | — | The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that … | |
| CVE-2024-56433 | low | — | 2.5 | 7mo ago | Low: shadow-utils security update | |
| CVE-2024-54677 | low | — | 2.5 | 2y ago | Apache Tomcat Uncontrolled Resource Consumption vulnerability | |
| CVE-2024-7592 | low | — | 2.5 | 2y ago | Low: python3.12 security update | |
| CVE-2024-52800 | low | — | 2.5 | 2y ago | veraPDF CLI has potential XXE (XML External Entity Injection) vulnerability | |
| CVE-2024-27043 | low | — | 2.5 | 2y ago | Low: kernel-rt:4.18.0 security update | |
| CVE-2024-5742 | low | — | 2.5 | 2y ago | Low: nano security update | |
| CVE-2024-29039 | low | — | 2.5 | 2y ago | Low: tpm2-tools security update | |
| CVE-2024-4741 | low | — | 2.5 | 2y ago | Low: openssl security update | |
| CVE-2024-2313 | low | — | 2.5 | 2y ago | Low: bpftrace security update | |
| CVE-2024-6126 | low | — | 2.5 | 2y ago | Low: cockpit security update | |
| CVE-2024-29038 | low | — | 2.5 | 2y ago | Low: tpm2-tools security update | |
| CVE-2024-2314 | low | — | 2.5 | 2y ago | Low: bcc security update | |
| CVE-2024-6501 | low | — | 2.5 | 2y ago | Low: NetworkManager security update | |
| CVE-2024-4603 | low | — | 2.5 | 2y ago | Low: openssl security update | |
| CVE-2024-36387 | low | — | 2.5 | 2y ago | Low: mod_http2 security update | |
| CVE-2024-5629 | low | — | 2.5 | 2y ago | Low: python36:3.6 security update | |
| CVE-2024-3854 | low | — | 2.5 | 2y ago | Low: thunderbird security update | |
| CVE-2024-3857 | low | — | 2.5 | 2y ago | Low: thunderbird security update | |
| CVE-2024-3861 | low | — | 2.5 | 2y ago | Low: thunderbird security update | |
| CVE-2024-3859 | low | — | 2.5 | 2y ago | Low: thunderbird security update | |
| CVE-2024-3852 | low | — | 2.5 | 2y ago | Low: thunderbird security update | |
| CVE-2024-3302 | low | — | 2.5 | 2y ago | Low: thunderbird security update | |
| CVE-2024-2609 | low | — | 2.5 | 2y ago | Low: thunderbird security update | |
| CVE-2024-3864 | low | — | 2.5 | 2y ago | Low: thunderbird security update | |
| CVE-2024-6344 | low | 2.4 | 2.4 | 2y ago | A vulnerability, which was classified as problematic, was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. This affects an unknown part of the component Push Configuration Section. The manipulation of t… | |
| CVE-2024-42009 | unknown | — | 1.5 | 1y ago | A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desani… | |
| CVE-2024-37383 | unknown | — | 1.5 | 2y ago | Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes. | |
| CVE-2024-36401 | unknown | — | 1.5 | 2y ago | Remote Code Execution (RCE) vulnerability in geoserver | |
| CVE-2024-27348 | unknown | — | 1.5 | 2y ago | Apache HugeGraph-Server: Command execution in gremlin | |
| CVE-2024-23897 | unknown | — | 1.5 | 2y ago | Arbitrary file read vulnerability through the Jenkins CLI can lead to RCE | |
| CVE-2024-57004 | unknown | — | — | — | Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated users to upload a malicious file as an email attachment, leading to the triggering of the XSS by visiti… | |
| CVE-2024-45160 | unknown | — | — | — | Incorrect credential validation in LemonLDAP::NG 2.18.x and 2.19.x before 2.19.2 allows attackers to bypass OAuth2 client authentication via an empty client_password parameter (client secret). | |
| CVE-2024-52947 | unknown | — | — | — | A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.20.1 allows remote attackers to inject arbitrary web script or HTML via the url parameter of the upgrade session confirmation page… | |
| CVE-2024-11498 | unknown | — | — | — | There exists a stack buffer overflow in libjxl. A specifically-crafted file can cause the JPEG XL decoder to use large amounts of stack space (up to 256mb is possible, maybe 512mb), potentially exhau… | |
| CVE-2024-37384 | unknown | — | — | — | Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences. | |
| CVE-2024-37385 | unknown | — | — | — | Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-1… | |
| CVE-2024-42008 | unknown | — | — | — | A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious … | |
| CVE-2024-34462 | unknown | — | — | — | Alinto SOGo through 5.10.0 allows XSS during attachment preview. | |
| CVE-2024-24510 | unknown | — | — | — | Cross Site Scripting vulnerability in Alinto SOGo before 5.10.0 allows a remote attacker to execute arbitrary code via the import function to the mail component. | |
| CVE-2024-42010 | unknown | — | — | — | mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain… | |
| CVE-2024-52948 | unknown | — | — | — | ||
| CVE-2024-11403 | unknown | — | — | — | There exists an out of bounds read/write in LibJXL versions prior to commit 9cc451b91b74ba470fd72bd48c121e9f33d24c99. The JPEG decoder used by the JPEG XL encoder when doing JPEG recompression (i.e. … | |
| CVE-2024-52946 | unknown | — | — | — | An issue was discovered in LemonLDAP::NG before 2.20.1. An Improper Check during session refresh allows an authenticated user to raise their authentication level if the admin configured an "Adaptativ… | |
| CVE-2024-48933 | unknown | — | — | — | A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.19.3 allows remote attackers to inject arbitrary web script or HTML into the login page via a username if userControl has been set… | |
| CVE-2024-47097 | unknown | — | — | 51 min ago | Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the site parameter of handleloginform.do. | |
| CVE-2024-47096 | unknown | — | — | 51 min ago | Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the showSupportExpiredMessage parameter of hand… | |
| CVE-2024-4027 | unknown | — | — | 4mo ago | Undertow Servlets Vulnerable to Remote DoS via OutOfMemoryError when Passed Large Parameter Names | |
| CVE-2024-29371 | unknown | — | — | 5mo ago | jose4j is vulnerable to DoS via compressed JWE content | |
| CVE-2024-3884 | unknown | — | — | 6mo ago | Undertow OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded | |
| CVE-2024-43115 | unknown | — | — | 9mo ago | Apache DolphinScheduler vulnerable to Alert Script Attack | |
| CVE-2024-10032 | unknown | — | — | 11mo ago | Eclipse GlassFish is vulnerable to Stored XSS attacks through its Administration Console | |
| CVE-2024-41169 | unknown | — | — | 11mo ago | Apache Zeppelin exposes server resources to unauthenticated attackers | |
| CVE-2024-29198 | unknown | — | — | 1y ago | GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost | |
| CVE-2024-41446 | unknown | — | — | 1y ago | OpenCMS cross-site scripting (XSS) vulnerability | |
| CVE-2024-52981 | unknown | — | — | 1y ago | Elasticsearch Vulnerable to Stack Overflow due to a Large Recursion | |
| CVE-2024-56325 | unknown | — | — | 1y ago | Apache Pinot Vulnerable to Authentication Bypass | |
| CVE-2024-6875 | unknown | — | — | 1y ago | Infinispan Potential Out of Memory Error via REST Compare API Buffer API | |
| CVE-2024-48944 | unknown | — | — | 1y ago | Apache Kylin Server-Side Request Forgery (SSRF) via `/kylin/api/xxx/diag` Endpoint | |
| CVE-2024-12369 | unknown | — | — | 1y ago | WildFly Elytron OpenID Connect Client ExtensionOIDC authorization code injection attack | |
| CVE-2024-8062 | unknown | — | — | 1y ago | H2O Vulnerable to Denial of Service (DoS) via `HEAD` Request | |
| CVE-2024-7765 | unknown | — | — | 1y ago | H2O Vulnerable to Denial of Service (DoS) via Large GZIP Parsing | |
| CVE-2024-6854 | unknown | — | — | 1y ago | H2O Vulnerable to Arbitrary File Overwrite via File Export | |
| CVE-2024-10550 | unknown | — | — | 1y ago | H2O Vulnerable to Denial of Service (DoS) via `/3/ParseSetup` Endpoint | |
| CVE-2024-47552 | unknown | — | — | 1y ago | Apache Seata Vulnerable to Deserialization of Untrusted Data | |
| CVE-2024-54016 | unknown | — | — | 1y ago | Apache Seata Vulnerable to Data Amplification | |
| CVE-2024-55532 | unknown | — | — | 1y ago | Apache Ranger Improper Neutralization of Formula Elements vulnerability | |
| CVE-2024-2321 | unknown | — | — | 1y ago | WSO2 incorrect authorization vulnerability | |
| CVE-2024-52577 | unknown | — | — | 1y ago | Apache Ignite: Possible RCE when deserializing incoming messages by the server node | |
| CVE-2024-32037 | unknown | — | — | 1y ago | GeoNetwork search end-point information disclosure in response headers | |
| CVE-2024-37358 | unknown | — | — | 1y ago | Apache James vulnerable to denial of service through the use of IMAP literals | |
| CVE-2024-45626 | unknown | — | — | 1y ago | Apache James vulnerable to denial of service through JMAP HTML to text conversion |