CVEs from 2022
Total
5,315
critical
critical 94
high
high 1,236
medium
medium 950
low
low 24
% Critical
1.8%
% with KEV
2.5%
% with exploit
3.3%
Top vendors
- oracle 616
- netapp 438
- microsoft 165
- omron 109
- azul 82
- schneider-electric 33
- mitsubishielectric 32
- siemens 10
Top products
- jdk 116
- jre 109
- openjdk 100
- zulu 82
- graalvm 74
- cloud_secure_agent 35
- oncommand_insight 34
- cloud_insights_acquisition_unit 34
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-24706 | critical | — | 10.0 | 4y ago | Apache CouchDB contains an insecure default initialization of resource vulnerability which can allow an attacker to escalate to administrative privileges. | |||
| CVE-2022-43939 | unknown | — | 2.5 | 1y ago | Hitachi Vantara Pentaho BA Server contains a use of non-canonical URL paths for authorization decisions vulnerability that enables an attacker to bypass authorization. | |||
| CVE-2022-43769 | unknown | — | 2.5 | 1y ago | Hitachi Vantara Pentaho BA Server contains a special element injection vulnerability that allows an attacker to inject Spring templates into properties files, allowing for arbitrary command execution. | |||
| CVE-2022-22948 | unknown | — | 2.5 | 2y ago | VMware vCenter Server contains an incorrect default file permissions vulnerability that allows a remote, privileged attacker to gain access to sensitive information. | |||
| CVE-2022-29303 | unknown | — | 2.5 | 3y ago | SolarView Compact contains a command injection vulnerability due to improper validation of input values on the send test mail console of the product's web server. | |||
| CVE-2022-35914 | unknown | — | 2.5 | 3y ago | Teclib GLPI contains a remote code execution vulnerability in the third-party library, htmlawed. | |||
| CVE-2022-28810 | unknown | — | 2.5 | 3y ago | Zoho ManageEngine ADSelfService Plus contains an unspecified vulnerability allowing for remote code execution when performing a password change or reset. | |||
| CVE-2022-47986 | unknown | — | 2.5 | 3y ago | IBM Aspera Faspex could allow a remote attacker to execute code on the system, caused by a YAML deserialization flaw. | |||
| CVE-2022-46169 | unknown | — | 2.5 | 3y ago | Cacti contains a command injection vulnerability that allows an unauthenticated user to execute code. | |||
| CVE-2022-24990 | unknown | — | 2.5 | 3y ago | TerraMaster OS contains a remote command execution vulnerability that allows an unauthenticated user to execute commands on the target endpoint. | |||
| CVE-2022-21587 | unknown | — | 2.5 | 3y ago | Oracle E-Business Suite contains an unspecified vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. | |||
| CVE-2022-47966 | unknown | — | 2.5 | 3y ago | Multiple Zoho ManageEngine products contain an unauthenticated remote code execution vulnerability due to the usage of an outdated third-party dependency, Apache Santuario. | |||
| CVE-2022-44877 | unknown | — | 2.5 | 3y ago | CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command injection vulnerability that allows remote attackers to execute commands via shell metacharacters in the login parameter. | |||
| CVE-2022-41352 | unknown | — | 2.5 | 4y ago | Synacor Zimbra Collaboration Suite (ZCS) allows an attacker to upload arbitrary files using cpio package to gain incorrect access to any other user accounts. | |||
| CVE-2022-40684 | unknown | — | 2.5 | 4y ago | Fortinet FortiOS, FortiProxy, and FortiSwitchManager contain an authentication bypass vulnerability that could allow an unauthenticated attacker to perform operations on the administrative interface … | |||
| CVE-2022-41040 | unknown | — | 2.5 | 4y ago | Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution. | |||
| CVE-2022-41082 | unknown | — | 2.5 | 4y ago | Microsoft Exchange Server contains an unspecified vulnerability that allows for authenticated remote code execution. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 which … | |||
| CVE-2022-36804 | unknown | — | 2.5 | 4y ago | Multiple API endpoints of Atlassian Bitbucket Server and Data Center contain a command injection vulnerability where an attacker with access to a public Bitbucket repository, or with read permissions… | |||
| CVE-2022-35405 | unknown | — | 2.5 | 4y ago | Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unspecified vulnerability that allows for remote code execution. | |||
| CVE-2022-24112 | unknown | — | 2.5 | 4y ago | Apache APISIX contains an authentication bypass vulnerability that allows for remote code execution. | |||
| CVE-2022-26352 | unknown | — | 2.5 | 4y ago | dotCMS ContentResource API contains an unrestricted upload of file with a dangerous type vulnerability that allows for directory traversal, in which the file is saved outside of the intended storage … | |||
| CVE-2022-26923 | unknown | — | 2.5 | 4y ago | An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow for privilege escalati… | |||
| CVE-2022-22536 | unknown | — | 2.5 | 4y ago | SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server and SAP Web Dispatcher allow HTTP request smuggling. An unauthenticated attacker can pr… | |||
| CVE-2022-27925 | unknown | — | 2.5 | 4y ago | Synacor Zimbra Collaboration Suite (ZCS) contains flaw in the mboximport functionality, allowing an authenticated attacker to upload arbitrary files to perform remote code execution. This vulnerabili… | |||
| CVE-2022-37042 | unknown | — | 2.5 | 4y ago | Synacor Zimbra Collaboration Suite (ZCS) contains an authentication bypass vulnerability in MailboxImportServlet. This vulnerability was chained with CVE-2022-27925 which allows for unauthenticated r… | |||
| CVE-2022-30333 | unknown | — | 2.5 | 4y ago | RARLAB UnRAR on Linux and UNIX contains a directory traversal vulnerability, allowing an attacker to write to files during an extract (unpack) operation. | |||
| CVE-2022-33891 | unknown | — | 2.5 | 4y ago | Apache Spark contains a command injection vulnerability via Spark User Interface (UI) when Access Control Lists (ACLs) are enabled. | |||
| CVE-2022-30190 | unknown | — | 2.5 | 4y ago | A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run code … | |||
| CVE-2022-26134 | unknown | — | 2.5 | 4y ago | Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code execution. | |||
| CVE-2022-30525 | unknown | — | 2.5 | 4y ago | A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device. | |||
| CVE-2022-1388 | unknown | — | 2.5 | 4y ago | F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, or disabling services. | |||
| CVE-2022-26904 | unknown | — | 2.5 | 4y ago | Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2022-29464 | unknown | — | 2.5 | 4y ago | Multiple WSO2 products allow for unrestricted file upload, resulting in remote code execution. | |||
| CVE-2022-22960 | unknown | — | 2.5 | 4y ago | VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. | |||
| CVE-2022-22954 | unknown | — | 2.5 | 4y ago | VMware Workspace ONE Access and Identity Manager allow for remote code execution due to server-side template injection. | |||
| CVE-2022-22963 | unknown | — | 2.5 | 4y ago | When using routing functionality in VMware Tanzu's Spring Cloud Function, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code executio… | |||
| CVE-2022-22965 | unknown | — | 2.5 | 4y ago | Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. | |||
| CVE-2022-1040 | unknown | — | 2.5 | 4y ago | An authentication bypass vulnerability in User Portal and Webadmin of Sophos Firewall allows for remote code execution. | |||
| CVE-2022-0543 | unknown | — | 2.5 | 4y ago | Redis is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution. | |||
| CVE-2022-21999 | unknown | — | 2.5 | 4y ago | Microsoft Windows Print Spooler contains an unspecified vulnerability which can allow for privilege escalation. | |||
| CVE-2022-26318 | unknown | — | 2.5 | 4y ago | On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code. | |||
| CVE-2022-22947 | unknown | — | 2.5 | 4y ago | Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. | |||
| CVE-2022-20699 | unknown | — | 2.5 | 4y ago | A vulnerability in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code elevate privileges, execute arbitrary … | |||
| CVE-2022-21882 | unknown | — | 2.5 | 4y ago | Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2022-44268 | unknown | — | 1.0 | — | ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick b… | |||
| CVE-2022-1043 | unknown | — | 1.0 | — | A flaw was found in the Linux kernel’s io_uring implementation. This flaw allows an attacker with a local account to corrupt system memory, crash the system or escalate privileges. | |||
| CVE-2022-44267 | unknown | — | 1.0 | — | ImageMagick 7.1.0-49 is vulnerable to Denial of Service. When it parses a PNG image (e.g., for resize), the convert process could be left waiting for stdin input. | |||
| CVE-2022-0995 | unknown | — | 1.0 | — | An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user… | |||
| CVE-2022-46945 | unknown | — | 1.0 | — | Nagvis before 1.9.34 was discovered to contain an arbitrary file read vulnerability via the component /core/classes/NagVisHoverUrl.php. | |||
| CVE-2022-29885 | unknown | — | 1.0 | 4y ago | The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to r… |