CVEs from 2024
Total
6,686
critical
critical 124
high
high 1,048
medium
medium 2,024
low
low 48
% Critical
1.9%
% with KEV
2.4%
% with exploit
3.3%
Top products
- surveillance_station 12
- checkmk 10
- profilegrid 8
- office 8
- office_long_term_servicing_channel 6
- glibc 5
- virtual_traffic_manager 5
- element_pack 5
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-26579 | unknown | — | — | 2y ago | Apache Inlong Deserialization of Untrusted Data vulnerability | |||
| CVE-2024-34517 | unknown | — | — | 2y ago | Neo4j Cypher component mishandles IMMUTABLE privileges | |||
| CVE-2024-33748 | unknown | — | — | 2y ago | MS Basic Cross-site Scripting vulnerability | |||
| CVE-2024-4536 | unknown | — | — | 2y ago | Eclipse Dataspace Components vulnerable to OAuth2 client secret disclosure | |||
| CVE-2024-34447 | unknown | — | — | 2y ago | Bouncy Castle Java Cryptography API vulnerable to DNS poisoning | |||
| CVE-2024-30251 | unknown | — | — | 2y ago | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp serv… | |||
| CVE-2024-4029 | unknown | — | — | 2y ago | Wildfly vulnerable to denial of service | |||
| CVE-2024-34148 | unknown | — | — | 2y ago | Jenkins Subversion Partial Release Manager Plugin programmatically disables the fix for CVE-2016-3721 | |||
| CVE-2024-34147 | unknown | — | — | 2y ago | Jenkins Telegram Bot Plugin stores the Telegram Bot token in plaintext | |||
| CVE-2024-34145 | unknown | — | — | 2y ago | Jenkins Script Security Plugin sandbox bypass vulnerability | |||
| CVE-2024-34146 | unknown | — | — | 2y ago | Jenkins Git server Plugin does not perform a permission check | |||
| CVE-2024-34144 | unknown | — | — | 2y ago | Jenkins Script Security Plugin has sandbox bypass vulnerability involving crafted constructor bodies | |||
| CVE-2024-32114 | unknown | — | — | 2y ago | Apache ActiveMQ's default configuration doesn't secure the API web context | |||
| CVE-2024-31573 | unknown | — | — | 2y ago | XMLUnit for Java has Insecure Defaults when Processing XSLT Stylesheets | |||
| CVE-2024-32887 | unknown | — | — | 2y ago | Sidekiq is simple, efficient background processing for Ruby. Sidekiq is reflected XSS vulnerability. The value of substr parameter is reflected in the response without any encoding, allowing an attac… | |||
| CVE-2024-1102 | unknown | — | — | 2y ago | Jberet: jberet-core logging database credentials | |||
| CVE-2024-1726 | unknown | — | — | 2y ago | Quarkus: security checks in resteasy reactive may trigger a denial of service | |||
| CVE-2024-28848 | unknown | — | — | 2y ago | OpenMetadata vulnerable to a SpEL Injection in `GET /api/v1/policies/validation/condition/<expr>` (`GHSL-2023-236`) | |||
| CVE-2024-28847 | unknown | — | — | 2y ago | OpenMetadata vulnerable to a SpEL Injection in `PUT /api/v1/events/subscriptions` (`GHSL-2023-251`) | |||
| CVE-2024-28253 | unknown | — | — | 2y ago | OpenMetadata vulnerable to SpEL Injection in `PUT /api/v1/policies` (`GHSL-2023-252`) | |||
| CVE-2024-32656 | unknown | — | — | 2y ago | Ant Media Server vulnerable to a local privilege escalation | |||
| CVE-2024-27349 | unknown | — | — | 2y ago | Apache HugeGraph-Server: Bypass whitelist in Auth mode | |||
| CVE-2024-27347 | unknown | — | — | 2y ago | Apache HugeGraph-Hubble: SSRF in Hubble connection page | |||
| CVE-2024-31584 | unknown | — | — | 2y ago | Pytorch before v2.2.0 has an Out-of-bounds Read vulnerability via the component torch/csrc/jit/mobile/flatbuffer_loader.cpp. | |||
| CVE-2024-32473 | unknown | — | — | 2y ago | Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. In 26.0.0, IPv6 is not disabled on netwo… | |||
| CVE-2024-27306 | unknown | — | — | 2y ago | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have alway… | |||
| CVE-2024-31580 | unknown | — | — | 2y ago | PyTorch before v2.2.0 was discovered to contain a heap buffer overflow vulnerability in the component /runtime/vararg_functions.cpp. This vulnerability allows attackers to cause a Denial of Service (… | |||
| CVE-2024-31583 | unknown | — | — | 2y ago | Pytorch before version v2.2.0 was discovered to contain a use-after-free vulnerability in torch/csrc/jit/mobile/interpreter.cpp. | |||
| CVE-2024-1132 | unknown | — | — | 2y ago | Keycloak path traversal vulnerability in redirection validation | |||
| CVE-2024-1249 | unknown | — | — | 2y ago | Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS | |||
| CVE-2024-2419 | unknown | — | — | 2y ago | Keycloak path traversal vulnerability in the redirect validation | |||
| CVE-2024-3825 | unknown | — | — | 2y ago | BlazeMeter Jenkins plugin vulnerable to Cross-Site Request Forgery | |||
| CVE-2024-22262 | unknown | — | — | 2y ago | Spring Framework URL Parsing with Host Validation | |||
| CVE-2024-27309 | unknown | — | — | 2y ago | Apache Kafka: Potential incorrect access control during migration from ZK mode to KRaft mode | |||
| CVE-2024-31861 | unknown | — | — | 2y ago | Code injection in Apache Zeppelin Shell | |||
| CVE-2024-31997 | unknown | — | — | 2y ago | XWiki Platform remote code execution from account through UIExtension parameters | |||
| CVE-2024-31996 | unknown | — | — | 2y ago | XWiki Commons missing escaping of `{` in Velocity escapetool allows remote code execution | |||
| CVE-2024-31988 | unknown | — | — | 2y ago | XWiki Platform CSRF remote code execution through the realtime HTML Converter API | |||
| CVE-2024-31987 | unknown | — | — | 2y ago | XWiki Platform remote code execution from account via custom skins support | |||
| CVE-2024-31986 | unknown | — | — | 2y ago | XWiki Platform CSRF remote code execution through scheduler job's document reference | |||
| CVE-2024-31985 | unknown | — | — | 2y ago | XWiki Platform CSRF in the job scheduler | |||
| CVE-2024-31984 | unknown | — | — | 2y ago | XWiki Platform: Remote code execution through space title and Solr space facet | |||
| CVE-2024-31983 | unknown | — | — | 2y ago | XWiki Platform: Remote code execution from edit in multilingual wikis via translations | |||
| CVE-2024-31982 | unknown | — | — | 2y ago | XWiki Platform: Remote code execution as guest via DatabaseSearch | |||
| CVE-2024-31981 | unknown | — | — | 2y ago | XWiki Platform: Privilege escalation (PR) from user registration through PDFClass | |||
| CVE-2024-31465 | unknown | — | — | 2y ago | XWiki Platform: Remote code execution from account via SearchSuggestSourceSheet | |||
| CVE-2024-31464 | unknown | — | — | 2y ago | XWiki Platform: Password hash might be leaked by diff once the xobject holding them is deleted | |||
| CVE-2024-31867 | unknown | — | — | 2y ago | Apache Zeppelin: LDAP search filter query Injection Vulnerability | |||
| CVE-2024-31868 | unknown | — | — | 2y ago | Apache Zeppelin vulnerable to cross-site scripting in the helium module | |||
| CVE-2024-31865 | unknown | — | — | 2y ago | Apache Zeppelin: Cron arbitrary user impersonation with improper privileges | |||
| CVE-2024-31864 | unknown | — | — | 2y ago | Apache Zeppelin remote code execution by adding malicious JDBC connection string | |||
| CVE-2024-31866 | unknown | — | — | 2y ago | Improper escaping in Apache Zeppelin | |||
| CVE-2024-3046 | unknown | — | — | 2y ago | Eclipse Kura LogServlet vulnerability | |||
| CVE-2024-31863 | unknown | — | — | 2y ago | Apache Zeppelin: Replacing other users notebook, bypassing any permissions | |||
| CVE-2024-31862 | unknown | — | — | 2y ago | Apache Zeppelin: Denial of service with invalid notebook name | |||
| CVE-2024-31860 | unknown | — | — | 2y ago | Apache Zeppelin Path Traversal vulnerability | |||
| CVE-2024-1233 | unknown | — | — | 2y ago | WildFly Elytron: SSRF security issue | |||
| CVE-2024-3366 | unknown | — | — | 2y ago | Xuxueli xxl-job template injection vulnerability | |||
| CVE-2024-2700 | unknown | — | — | 2y ago | quarkus-core leaks local environment variables from Quarkus namespace during application's build | |||
| CVE-2024-30261 | unknown | — | — | 2y ago | Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been… | |||
| CVE-2024-30260 | unknown | — | — | 2y ago | Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnera… | |||
| CVE-2024-29834 | unknown | — | — | 2y ago | Apache Pulsar: Improper Authorization For Namespace and Topic Management Endpoints | |||
| CVE-2024-1300 | unknown | — | — | 2y ago | Eclipse Vert.x vulnerable to a memory leak in TCP servers | |||
| CVE-2024-27609 | unknown | — | — | 2y ago | Bonita cross-site scripting vulnerability | |||
| CVE-2024-23449 | unknown | — | — | 2y ago | Elasticsearch Uncaught Exception leading to crash | |||
| CVE-2024-23451 | unknown | — | — | 2y ago | Elasticsearch Incorrect Authorization vulnerability | |||
| CVE-2024-23450 | unknown | — | — | 2y ago | Elasticsearch Uncontrolled Resource Consumption vulnerability | |||
| CVE-2024-1023 | unknown | — | — | 2y ago | Eclipse Vert.x memory leak | |||
| CVE-2024-25421 | unknown | — | — | 2y ago | Ignite Realtime Openfire privilege escalation vulnerability | |||
| CVE-2024-25420 | unknown | — | — | 2y ago | Ignite Realtime Openfire privilege escalation vulnerability | |||
| CVE-2024-29025 | unknown | — | — | 2y ago | Netty's HttpPostRequestDecoder can OOM | |||
| CVE-2024-29133 | unknown | — | — | 2y ago | Apache Commons Configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree | |||
| CVE-2024-29131 | unknown | — | — | 2y ago | Apache Commons Configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator() | |||
| CVE-2024-29018 | unknown | — | — | 2y ago | Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows … | |||
| CVE-2024-22258 | unknown | — | — | 2y ago | Improper Authentication in Spring Authorization Server | |||
| CVE-2024-23821 | unknown | — | — | 2y ago | GeoServer's GWC Demos Page vulnerable to Stored Cross-Site Scripting (XSS) | |||
| CVE-2024-23819 | unknown | — | — | 2y ago | GeoServer's MapML HTML Page vulnerable to Stored Cross-Site Scripting (XSS) | |||
| CVE-2024-23818 | unknown | — | — | 2y ago | GeoServer's WMS OpenLayers Format vulnerable to Stored Cross-Site Scripting (XSS) | |||
| CVE-2024-23643 | unknown | — | — | 2y ago | GeoServer's GWC Seed Form vulnerable to Stored Cross-Site Scripting (XSS) | |||
| CVE-2024-23642 | unknown | — | — | 2y ago | GeoServer's Simple SVG Renderer vulnerable to Stored Cross-Site Scripting (XSS) | |||
| CVE-2024-23640 | unknown | — | — | 2y ago | GeoServer's Style Publisher vulnerable to Stored Cross-Site Scripting (XSS) | |||
| CVE-2024-23634 | unknown | — | — | 2y ago | GeoServer Arbitrary file renaming vulnerability in REST Coverage/Data Store API | |||
| CVE-2024-27439 | unknown | — | — | 2y ago | Cross-Site Request Forgery in Apache Wicket | |||
| CVE-2024-24683 | unknown | — | — | 2y ago | Improper Input Validation vulnerability in Apache Hop Engine | |||
| CVE-2024-24042 | unknown | — | — | 2y ago | Path traversal in flaskcode Devan-Kerman ARRP | |||
| CVE-2024-22257 | unknown | — | — | 2y ago | Erroneous authentication pass in Spring Security | |||
| CVE-2024-28128 | unknown | — | — | 2y ago | FitNesse Cross-site Scripting vulnerability | |||
| CVE-2024-28125 | unknown | — | — | 2y ago | FitNesse allows execution of arbitrary OS commands | |||
| CVE-2024-22259 | unknown | — | — | 2y ago | Spring Framework URL Parsing with Host Validation Vulnerability | |||
| CVE-2024-23944 | unknown | — | — | 2y ago | Apache ZooKeeper vulnerable to information disclosure in persistent watchers handling | |||
| CVE-2024-28752 | unknown | — | — | 2y ago | SSRF vulnerability using the Aegis DataBinding in Apache CXF | |||
| CVE-2024-1979 | unknown | — | — | 2y ago | In Quarkus, git credentials could be inadvertently published | |||
| CVE-2024-27894 | unknown | — | — | 2y ago | Apache Pulsar: Pulsar Functions Worker Allows Unauthorized File Access and Unauthorized HTTP/HTTPS Proxying | |||
| CVE-2024-27135 | unknown | — | — | 2y ago | Apache Pulsar: Improper Input Validation in Pulsar Function Worker allows Remote Code Execution | |||
| CVE-2024-27317 | unknown | — | — | 2y ago | Apache Pulsar: Pulsar Functions Worker's Archive Extraction Vulnerability Allows Unauthorized File Modification | |||
| CVE-2024-28098 | unknown | — | — | 2y ago | Apache Pulsar: Improper Authorization For Topic-Level Policy Management | |||
| CVE-2024-28213 | unknown | — | — | 2y ago | nGrinder vulnerable to unsafe Java objects deserialization | |||
| CVE-2024-28161 | unknown | — | — | 2y ago | Jenkins Delphix Plugin has SSL/TLS certificate validation disabled by default | |||
| CVE-2024-2215 | unknown | — | — | 2y ago | Jenkins docker-build-step Plugin Cross-Site Request Forgery vulnerability | |||
| CVE-2024-28159 | unknown | — | — | 2y ago | Jenkins Subversion Partial Release Manager Plugin missing permission check |