CVEs from 2024
Total
6,678
critical
critical 124
high
high 1,047
medium
medium 2,013
low
low 48
% Critical
1.9%
% with KEV
2.4%
% with exploit
3.3%
Top products
- surveillance_station 12
- checkmk 10
- profilegrid 8
- office 8
- office_long_term_servicing_channel 6
- glibc 5
- virtual_traffic_manager 5
- element_pack 5
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-3172 | unknown | — | — | — | Insufficient data validation in DevTools in Google Chrome prior to 121.0.6167.85 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a craft… | |||
| CVE-2024-3175 | unknown | — | — | — | Insufficient data validation in Extensions in Google Chrome prior to 120.0.6099.62 allowed a remote attacker to perform privilege escalation via a crafted Chrome Extension. (Chromium security severit… | |||
| CVE-2024-3833 | unknown | — | — | — | Object corruption in WebAssembly in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2024-3843 | unknown | — | — | — | Insufficient data validation in Downloads in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | |||
| CVE-2024-4059 | unknown | — | — | — | Out of bounds read in V8 API in Google Chrome prior to 124.0.6367.78 allowed a remote attacker to leak cross-site data via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2024-4948 | unknown | — | — | — | Use after free in Dawn in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2024-5157 | unknown | — | — | — | Use after free in Scheduling in Google Chrome prior to 125.0.6422.76 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2024-26608 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix global oob in ksmbd_nl_policy Similar to a reported issue (check the commit b33fb5b801c6 ("net: qualcomm: rmnet: fix g… | |||
| CVE-2024-11920 | unknown | — | — | — | Inappropriate implementation in Dawn in Google Chrome on Mac prior to 130.0.6723.92 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severi… | |||
| CVE-2024-42479 | unknown | — | — | — | llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause arbitrary address writing. This vulnerability is fixed in b3561. | |||
| CVE-2024-42478 | unknown | — | — | — | llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause arbitrary address reading. This vulnerability is fixed in b3561. | |||
| CVE-2024-12695 | unknown | — | — | — | Out of bounds write in V8 in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2024-10487 | unknown | — | — | — | Out of bounds write in Dawn in Google Chrome prior to 130.0.6723.92 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Critical) | |||
| CVE-2024-11116 | unknown | — | — | — | Inappropriate implementation in Blink in Google Chrome prior to 131.0.6778.69 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTM… | |||
| CVE-2024-12053 | unknown | — | — | — | Type Confusion in V8 in Google Chrome prior to 131.0.6778.108 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2024-49913 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream This commit addresses a null pointer derefere… | |||
| CVE-2024-41081 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: ila: block BH in ila_output() As explained in commit 1378817486d6 ("tipc: block BH before using dst_cache"), net/core/dst_cache.c… | |||
| CVE-2024-49867 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: btrfs: wait for fixup workers before stopping cleaner kthread during umount During unmount, at close_ctree(), we have the followi… | |||
| CVE-2024-49942 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: drm/xe: Prevent null pointer access in xe_migrate_copy xe_migrate_copy designed to copy content of TTM resources. When source res… | |||
| CVE-2024-47090 | unknown | — | — | — | Improper neutralization of input in Nagvis before version 1.9.47 which can lead to XSS | |||
| CVE-2024-58090 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: sched/core: Prevent rescheduling when interrupts are disabled David reported a warning observed while loop testing kexec jump: … | |||
| CVE-2024-56745 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: PCI: Fix reset_method_store() memory leak In reset_method_store(), a string is allocated via kstrndup() and assigned to the local… | |||
| CVE-2024-0812 | unknown | — | — | — | Inappropriate implementation in Accessibility in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security se… | |||
| CVE-2024-10230 | unknown | — | — | — | Type Confusion in V8 in Google Chrome prior to 130.0.6723.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2024-3840 | unknown | — | — | — | Insufficient policy enforcement in Site Isolation in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security sever… | |||
| CVE-2024-3844 | unknown | — | — | — | Inappropriate implementation in Extensions in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low) | |||
| CVE-2024-3845 | unknown | — | — | — | Inappropriate implementation in Networks in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to bypass mixed content policy via a crafted HTML page. (Chromium security severity: Low) | |||
| CVE-2024-5160 | unknown | — | — | — | Heap buffer overflow in Dawn in Google Chrome prior to 125.0.6422.76 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2024-5846 | unknown | — | — | — | Use after free in PDFium in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: Medium) | |||
| CVE-2024-6103 | unknown | — | — | — | Use after free in Dawn in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2024-6773 | unknown | — | — | — | Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.182 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2024-6988 | unknown | — | — | — | Use after free in Downloads in Google Chrome on iOS prior to 127.0.6533.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2024-6991 | unknown | — | — | — | Use after free in Dawn in Google Chrome prior to 127.0.6533.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2024-6989 | unknown | — | — | — | Use after free in Loader in Google Chrome prior to 127.0.6533.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2024-7976 | unknown | — | — | — | Inappropriate implementation in FedCM in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | |||
| CVE-2024-7978 | unknown | — | — | — | Insufficient policy enforcement in Data Transfer in Google Chrome prior to 128.0.6613.84 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via… | |||
| CVE-2024-46785 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: eventfs: Use list_del_rcu() for SRCU protected list variable Chi Zhiling reported: We found a null pointer accessing in tracef… | |||
| CVE-2024-56717 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: net: mscc: ocelot: fix incorrect IFH SRC_PORT field in ocelot_ifh_set_basic() Packets injected by the CPU should have a SRC_PORT … | |||
| CVE-2024-36906 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: ARM: 9381/1: kasan: clear stale stack poison We found below OOB crash: [ 33.452494] ==========================================… | |||
| CVE-2024-47097 | unknown | — | — | 4d ago | Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the site parameter of handleloginform.do. | |||
| CVE-2024-47096 | unknown | — | — | 4d ago | Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the showSupportExpiredMessage parameter of hand… | |||
| CVE-2024-5986 | unknown | — | — | 4mo ago | H2O has an External Control of File Name or Path vulnerability | |||
| CVE-2024-4027 | unknown | — | — | 4mo ago | Undertow Servlets Vulnerable to Remote DoS via OutOfMemoryError when Passed Large Parameter Names | |||
| CVE-2024-29371 | unknown | — | — | 6mo ago | jose4j is vulnerable to DoS via compressed JWE content | |||
| CVE-2024-3884 | unknown | — | — | 6mo ago | Undertow OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded | |||
| CVE-2024-44088 | unknown | — | — | 8mo ago | Apache Geode web-api is vulnerable to Cross-site Scripting | |||
| CVE-2024-6429 | unknown | — | — | 8mo ago | WSO2 Identity Server Apps allows content spoofing in logs | |||
| CVE-2024-43115 | unknown | — | — | 9mo ago | Apache DolphinScheduler vulnerable to Alert Script Attack | |||
| CVE-2024-43166 | unknown | — | — | 9mo ago | Apache DolphinScheduler Incorrect Default Permissions Vulnerability | |||
| CVE-2024-39954 | unknown | — | — | 10mo ago | Apache EventMesh Vulnerable to Server-Side Request Forgery in WebhookUtil.java | |||
| CVE-2024-52279 | unknown | — | — | 10mo ago | Apache Zeppelin: Arbitrary file read by adding malicious JDBC connection string | |||
| CVE-2024-41177 | unknown | — | — | 10mo ago | Apache Zeppelin: XSS in the Helium module | |||
| CVE-2024-51775 | unknown | — | — | 10mo ago | Apache Zeppelin: Missing Origin Validation in WebSockets vulnerability | |||
| CVE-2024-9408 | unknown | — | — | 11mo ago | Eclipse GlassFish is vulnerable to Server Side Request Forgery attacks through specific endpoints | |||
| CVE-2024-10031 | unknown | — | — | 11mo ago | Eclipse GlassFish is vulnerable to Stored XSS attacks through configuration file modifications | |||
| CVE-2024-9342 | unknown | — | — | 11mo ago | Eclipse GlassFish is vulnerable to Login Brute Force attacks through unlimited failed login attempts | |||
| CVE-2024-9343 | unknown | — | — | 11mo ago | Eclipse GlassFish is vulnerable to Stored XSS attacks through its Administration Console | |||
| CVE-2024-10029 | unknown | — | — | 11mo ago | Eclipse GlassFish is vulnerable to Reflected XSS attacks through its Administration Console | |||
| CVE-2024-10032 | unknown | — | — | 11mo ago | Eclipse GlassFish is vulnerable to Stored XSS attacks through its Administration Console | |||
| CVE-2024-41169 | unknown | — | — | 11mo ago | Apache Zeppelin exposes server resources to unauthenticated attackers | |||
| CVE-2024-56158 | unknown | — | — | 1y ago | XWiki allows SQL injection in query endpoint of REST API with Oracle | |||
| CVE-2024-40625 | unknown | — | — | 1y ago | Coverage REST API Server Side Request Forgery | |||
| CVE-2024-38524 | unknown | — | — | 1y ago | GWC Home Page communicate version and revision information | |||
| CVE-2024-34711 | unknown | — | — | 1y ago | GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF) | |||
| CVE-2024-29198 | unknown | — | — | 1y ago | GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost | |||
| CVE-2024-8008 | unknown | — | — | 1y ago | WSO2 products vulnerable to Cross-site Scripting | |||
| CVE-2024-1440 | unknown | — | — | 1y ago | WSO2 is vulnerable to Open Redirect through multi-option URL in its authentication endpoint | |||
| CVE-2024-7096 | unknown | — | — | 1y ago | WSO2 products vulnerable to privilege escalation due to business logic flaw in SOAP admin services | |||
| CVE-2024-24780 | unknown | — | — | 1y ago | Apache IoTDB Vulnerable to Remote Code Execution | |||
| CVE-2024-13009 | unknown | — | — | 1y ago | **UNSUPPORTED WHEN ASSIGNED** GzipHandler causes part of request body to be seen as request body of a separate request | |||
| CVE-2024-52979 | unknown | — | — | 1y ago | Elasticsearch Uncontrolled Resource Consumption Vulnerability | |||
| CVE-2024-42699 | unknown | — | — | 1y ago | OpenCMS Cross-Site Scripting vulnerability | |||
| CVE-2024-41446 | unknown | — | — | 1y ago | OpenCMS cross-site scripting (XSS) vulnerability | |||
| CVE-2024-41447 | unknown | — | — | 1y ago | Alkacon OpenCMS stored cross-site scripting (XSS) vulnerability | |||
| CVE-2024-55238 | unknown | — | — | 1y ago | OpenMetadata SQL Injection | |||
| CVE-2024-52981 | unknown | — | — | 1y ago | Elasticsearch Vulnerable to Stack Overflow due to a Large Recursion | |||
| CVE-2024-52980 | unknown | — | — | 1y ago | Elasticsearch Potential Node Crash due to Large Recursion in `innerForbidCircularReferences` Function | |||
| CVE-2024-56325 | unknown | — | — | 1y ago | Apache Pinot Vulnerable to Authentication Bypass | |||
| CVE-2024-6875 | unknown | — | — | 1y ago | Infinispan Potential Out of Memory Error via REST Compare API Buffer API | |||
| CVE-2024-48944 | unknown | — | — | 1y ago | Apache Kylin Server-Side Request Forgery (SSRF) via `/kylin/api/xxx/diag` Endpoint | |||
| CVE-2024-12369 | unknown | — | — | 1y ago | WildFly Elytron OpenID Connect Client ExtensionOIDC authorization code injection attack | |||
| CVE-2024-8616 | unknown | — | — | 1y ago | H2O Vulnerable to Arbitrary File Overwrite | |||
| CVE-2024-8062 | unknown | — | — | 1y ago | H2O Vulnerable to Denial of Service (DoS) via `HEAD` Request | |||
| CVE-2024-7765 | unknown | — | — | 1y ago | H2O Vulnerable to Denial of Service (DoS) via Large GZIP Parsing | |||
| CVE-2024-7768 | unknown | — | — | 1y ago | H2O Vulnerable to Denial of Service (DoS) via `/3/ImportFiles` Endpoint | |||
| CVE-2024-6863 | unknown | — | — | 1y ago | H2O Vulnerable to Execution of Arbitrary Files | |||
| CVE-2024-6854 | unknown | — | — | 1y ago | H2O Vulnerable to Arbitrary File Overwrite via File Export | |||
| CVE-2024-10553 | unknown | — | — | 1y ago | H2O Deserialization of Untrusted Data Vulnerability | |||
| CVE-2024-10550 | unknown | — | — | 1y ago | H2O Vulnerable to Denial of Service (DoS) via `/3/ParseSetup` Endpoint | |||
| CVE-2024-10549 | unknown | — | — | 1y ago | H2O Vulnerable to Denial of Service (DoS) via `/3/Parse` Endpoint | |||
| CVE-2024-10572 | unknown | — | — | 1y ago | H2O Vulnerable to Denial of Service (DoS) and File Write | |||
| CVE-2024-54016 | unknown | — | — | 1y ago | Apache Seata Vulnerable to Data Amplification | |||
| CVE-2024-47552 | unknown | — | — | 1y ago | Apache Seata Vulnerable to Deserialization of Untrusted Data | |||
| CVE-2024-58103 | unknown | — | — | 1y ago | Wire has Uncontrolled Recursion on Nested Groups | |||
| CVE-2024-55532 | unknown | — | — | 1y ago | Apache Ranger Improper Neutralization of Formula Elements vulnerability | |||
| CVE-2024-24778 | unknown | — | — | 1y ago | Apache StreamPipes has improper privilege management in a REST interface | |||
| CVE-2024-2321 | unknown | — | — | 1y ago | WSO2 incorrect authorization vulnerability | |||
| CVE-2024-4028 | unknown | — | — | 1y ago | Keycloak allows cross-site scripting (XSS) | |||
| CVE-2024-56180 | unknown | — | — | 1y ago | Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution | |||
| CVE-2024-52577 | unknown | — | — | 1y ago | Apache Ignite: Possible RCE when deserializing incoming messages by the server node |