CVEs from 2016
Total
8,432
critical
critical 1,165
high
high 3,521
medium
medium 3,172
low
low 248
% Critical
13.8%
% with KEV
0.7%
% with exploit
6.8%
Top vendors
Top products
- phpmyadmin 3,382
- php 1,748
- squid 1,549
- samba 1,093
- drupal 868
- firefox 757
- moodle 700
- openssl 664
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-5295 | unknown | — | — | — | This vulnerability allows an attacker to use the Mozilla Maintenance Service to escalate privilege by having the Maintenance Service invoke the Mozilla Updater to run malicious local files. This vuln… | |||
| CVE-2016-5294 | unknown | — | — | — | The Mozilla Updater can be made to choose an arbitrary target working directory for output files resulting from the update process. This vulnerability requires local system access. Note: this issue o… | |||
| CVE-2016-5293 | unknown | — | — | — | When the Mozilla Updater is run, if the Updater's log file in the working directory points to a hardlink, data can be appended to an arbitrary local file. This vulnerability requires local system acc… | |||
| CVE-2016-8626 | unknown | — | — | — | A flaw was found in Red Hat Ceph before 0.94.9-8. The way Ceph Object Gateway handles POST object requests permits an authenticated attacker to launch a denial of service attack by sending null or sp… | |||
| CVE-2016-9579 | unknown | — | — | — | A flaw was found in the way Ceph Object Gateway would process cross-origin HTTP requests if the CORS policy was set to allow origin on a bucket. A remote unauthenticated attacker could use this flaw … | |||
| CVE-2016-5298 | unknown | — | — | — | A mechanism where disruption of the loading of a new web page can cause the previous page's favicon and SSL indicator to not be reset when the new page is loaded. Note: this issue only affects Firefo… | |||
| CVE-2016-5299 | unknown | — | — | — | A previously installed malicious Android application with same signature-level permissions as Firefox can intercept AuthTokens meant for Firefox only. Note: This issue only affects Firefox for Androi… | |||
| CVE-2016-9061 | unknown | — | — | — | A previously installed malicious Android application which defines a specific signature-level permissions used by Firefox can access API keys meant for Firefox only. Note: This issue only affects Fir… | |||
| CVE-2016-9065 | unknown | — | — | — | The location bar in Firefox for Android can be spoofed by forcing a user into fullscreen mode, blocking its exiting, and creating of a fake location bar without any user notification. Note: This issu… | |||
| CVE-2016-9069 | unknown | — | — | — | A use-after-free in nsINode::ReplaceOrInsertBefore during DOM operations resulting in potentially exploitable crashes. This vulnerability affects Firefox < 50. | |||
| CVE-2016-4975 | unknown | — | — | — | Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into … | |||
| CVE-2016-10746 | unknown | — | — | — | libvirt-domain.c in libvirt before 1.3.1 supports virDomainGetTime API calls by guest agents with an RO connection, even though an RW connection was supposed to be required, a different vulnerability… | |||
| CVE-2016-9598 | unknown | — | — | — | libxml2, as used in Red Hat JBoss Core Services, allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted XML document. NOTE: this vuln… | |||
| CVE-2016-9596 | unknown | — | — | — | libxml2, as used in Red Hat JBoss Core Services and when in recovery mode, allows context-dependent attackers to cause a denial of service (stack consumption) via a crafted XML document. NOTE: this … | |||
| CVE-2016-5287 | unknown | — | — | — | A potentially exploitable use-after-free crash during actor destruction with service workers. This issue does not affect releases earlier than Firefox 49. This vulnerability affects Firefox < 49.0.2. | |||
| CVE-2016-5288 | unknown | — | — | — | Web content could access information in the HTTP cache if e10s is disabled. This can reveal some visited URLs and the contents of those pages. This issue affects Firefox 48 and 49. This vulnerability… | |||
| CVE-2016-1000212 | unknown | — | — | — | ||||
| CVE-2016-15026 | unknown | — | — | 3y ago | dd-plist XML External Entitly vulnerability | |||
| CVE-2016-15011 | unknown | — | — | 4y ago | dssp vulnerable to Improper Restriction of XML External Entity Reference | |||
| CVE-2016-1000273 | unknown | — | — | 4y ago | Java Melody vulnerable to cross-site scripting | |||
| CVE-2016-1000027 | unknown | — | — | 4y ago | Pivotal Spring Framework contains unsafe Java deserialization methods | |||
| CVE-2016-10750 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Hazelcast | |||
| CVE-2016-7043 | unknown | — | — | 4y ago | Password in config file in KIE server | |||
| CVE-2016-9606 | unknown | — | — | 4y ago | JBoss RESTEasy vulnerable to Improper Input Validation | |||
| CVE-2016-8747 | unknown | — | — | 4y ago | Apache Tomcat allows remote attackers to read data that was intended to be associated with a different request | |||
| CVE-2016-6810 | unknown | — | — | 4y ago | Improper Neutralization of Input During Web Page Generation Apache ActiveMQ | |||
| CVE-2016-9589 | unknown | — | — | 4y ago | Red Hat Wildfly DoS | |||
| CVE-2016-6814 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Groovy | |||
| CVE-2016-11024 | unknown | — | — | 5y ago | SQL Injection in odata4j | |||
| CVE-2016-3674 | unknown | — | — | 6y ago | XML External Entity Injection in XStream | |||
| CVE-2016-8750 | unknown | — | — | 8y ago | Moderate severity vulnerability that affects org.apache.karaf:apache-karaf | |||
| CVE-2016-10726 | unknown | — | — | 8y ago | High severity vulnerability that affects org.dspace:dspace-xmlui | |||
| CVE-2016-1000345 | unknown | — | — | 8y ago | Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15 | |||
| CVE-2016-1000344 | unknown | — | — | 8y ago | In Bouncy Castle JCE Provider the DHIES implementation allowed the use of ECB mode | |||
| CVE-2016-8609 | unknown | — | — | 8y ago | Improper Authentication in org.keycloak:keycloak-core | |||
| CVE-2016-8629 | unknown | — | — | 8y ago | Moderate severity vulnerability that affects org.keycloak:keycloak-core | |||
| CVE-2016-1000352 | unknown | — | — | 8y ago | In Bouncy Castle JCE Provider the ECIES implementation allowed the use of ECB mode | |||
| CVE-2016-1000346 | unknown | — | — | 8y ago | In Bouncy Castle JCE Provider the other party DH public key is not fully validated | |||
| CVE-2016-1000343 | unknown | — | — | 8y ago | In Bouncy Castle JCE Provider the DSA key pair generator generates a weak private key if used with default values | |||
| CVE-2016-1000342 | unknown | — | — | 8y ago | In Bouncy Castle JCE Provider ECDSA does not fully validate ASN.1 encoding of signature on verification | |||
| CVE-2016-1000341 | unknown | — | — | 8y ago | Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15 | |||
| CVE-2016-1000340 | unknown | — | — | 8y ago | The Bouncy Castle JCE Provider carry a propagation bug | |||
| CVE-2016-1000339 | unknown | — | — | 8y ago | Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15 | |||
| CVE-2016-1000338 | unknown | — | — | 8y ago | In Bouncy Castle JCE Provider it is possible to inject extra elements in the sequence making up the signature and still have it validate | |||
| CVE-2016-10707 | unknown | — | — | 9y ago | Denial of Service in jquery | |||
| CVE-2016-10931 | unknown | — | — | 10y ago | An issue was discovered in the openssl crate before 0.9.0 for Rust. There is an SSL/TLS man-in-the-middle vulnerability because certificate verification is off by default and there is no API for host… |