CVEs from 2024
Total
6,592
critical
critical 174
high
high 1,069
medium
medium 2,083
low
low 49
% Critical
2.6%
% with KEV
2.5%
% with exploit
3.4%
Top products
- mbed_tls 15
- operations_analytics_log_analysis 14
- surveillance_station 12
- checkmk 10
- office 8
- profilegrid 8
- office_long_term_servicing_channel 6
- propertyhive 5
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-4701 | unknown | — | — | 2y ago | Genie Path Traversal vulnerability via File Uploads | |||
| CVE-2024-26579 | unknown | — | — | 2y ago | Apache Inlong Deserialization of Untrusted Data vulnerability | |||
| CVE-2024-34517 | unknown | — | — | 2y ago | Neo4j Cypher component mishandles IMMUTABLE privileges | |||
| CVE-2024-33748 | unknown | — | — | 2y ago | MS Basic Cross-site Scripting vulnerability | |||
| CVE-2024-4536 | unknown | — | — | 2y ago | Eclipse Dataspace Components vulnerable to OAuth2 client secret disclosure | |||
| CVE-2024-31636 | unknown | — | — | 2y ago | LIEF obtain sensitive information via the name parameter | |||
| CVE-2024-34447 | unknown | — | — | 2y ago | Bouncy Castle Java Cryptography API vulnerable to DNS poisoning | |||
| CVE-2024-30251 | unknown | — | — | 2y ago | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp serv… | |||
| CVE-2024-34145 | unknown | — | — | 2y ago | Jenkins Script Security Plugin sandbox bypass vulnerability | |||
| CVE-2024-34146 | unknown | — | — | 2y ago | Jenkins Git server Plugin does not perform a permission check | |||
| CVE-2024-4029 | unknown | — | — | 2y ago | Wildfly vulnerable to denial of service | |||
| CVE-2024-34147 | unknown | — | — | 2y ago | Jenkins Telegram Bot Plugin stores the Telegram Bot token in plaintext | |||
| CVE-2024-34144 | unknown | — | — | 2y ago | Jenkins Script Security Plugin has sandbox bypass vulnerability involving crafted constructor bodies | |||
| CVE-2024-34148 | unknown | — | — | 2y ago | Jenkins Subversion Partial Release Manager Plugin programmatically disables the fix for CVE-2016-3721 | |||
| CVE-2024-32114 | unknown | — | — | 2y ago | Apache ActiveMQ's default configuration doesn't secure the API web context | |||
| CVE-2024-31573 | unknown | — | — | 2y ago | XMLUnit for Java has Insecure Defaults when Processing XSLT Stylesheets | |||
| CVE-2024-32887 | unknown | — | — | 2y ago | Sidekiq is simple, efficient background processing for Ruby. Sidekiq is reflected XSS vulnerability. The value of substr parameter is reflected in the response without any encoding, allowing an attac… | |||
| CVE-2024-1102 | unknown | — | — | 2y ago | Jberet: jberet-core logging database credentials | |||
| CVE-2024-1726 | unknown | — | — | 2y ago | Quarkus: security checks in resteasy reactive may trigger a denial of service | |||
| CVE-2024-28848 | unknown | — | — | 2y ago | OpenMetadata vulnerable to a SpEL Injection in `GET /api/v1/policies/validation/condition/<expr>` (`GHSL-2023-236`) | |||
| CVE-2024-28847 | unknown | — | — | 2y ago | OpenMetadata vulnerable to a SpEL Injection in `PUT /api/v1/events/subscriptions` (`GHSL-2023-251`) | |||
| CVE-2024-32875 | unknown | — | — | 2y ago | Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are im… | |||
| CVE-2024-28253 | unknown | — | — | 2y ago | OpenMetadata vulnerable to SpEL Injection in `PUT /api/v1/policies` (`GHSL-2023-252`) | |||
| CVE-2024-32656 | unknown | — | — | 2y ago | Ant Media Server vulnerable to a local privilege escalation | |||
| CVE-2024-27349 | unknown | — | — | 2y ago | Apache HugeGraph-Server: Bypass whitelist in Auth mode | |||
| CVE-2024-27347 | unknown | — | — | 2y ago | Apache HugeGraph-Hubble: SSRF in Hubble connection page | |||
| CVE-2024-1681 | unknown | — | — | 2y ago | flask-cors vulnerable to log injection when the log level is set to debug | |||
| CVE-2024-31584 | unknown | — | — | 2y ago | Pytorch before v2.2.0 has an Out-of-bounds Read vulnerability via the component torch/csrc/jit/mobile/flatbuffer_loader.cpp. | |||
| CVE-2024-32473 | unknown | — | — | 2y ago | Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. In 26.0.0, IPv6 is not disabled on netwo… | |||
| CVE-2024-27306 | unknown | — | — | 2y ago | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have alway… | |||
| CVE-2024-31583 | unknown | — | — | 2y ago | Pytorch before version v2.2.0 was discovered to contain a use-after-free vulnerability in torch/csrc/jit/mobile/interpreter.cpp. | |||
| CVE-2024-31580 | unknown | — | — | 2y ago | PyTorch before v2.2.0 was discovered to contain a heap buffer overflow vulnerability in the component /runtime/vararg_functions.cpp. This vulnerability allows attackers to cause a Denial of Service (… | |||
| CVE-2024-1132 | unknown | — | — | 2y ago | Keycloak path traversal vulnerability in redirection validation | |||
| CVE-2024-2419 | unknown | — | — | 2y ago | Keycloak path traversal vulnerability in the redirect validation | |||
| CVE-2024-3825 | unknown | — | — | 2y ago | BlazeMeter Jenkins plugin vulnerable to Cross-Site Request Forgery | |||
| CVE-2024-22262 | unknown | — | — | 2y ago | Spring Framework URL Parsing with Host Validation | |||
| CVE-2024-3575 | unknown | — | — | 2y ago | Cross-site Scripting (XSS) in mindsdb/mindsdb | |||
| CVE-2024-3772 | unknown | — | — | 2y ago | Regular expression denial of service in Pydanic < 2.4.0, < 1.10.13 allows remote attackers to cause denial of service via a crafted email string. | |||
| CVE-2024-27309 | unknown | — | — | 2y ago | Apache Kafka: Potential incorrect access control during migration from ZK mode to KRaft mode | |||
| CVE-2024-29903 | unknown | — | — | 2y ago | Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, maliciously-crafted software artifacts can cause denial of service of the machine running Cosign the… | |||
| CVE-2024-29902 | unknown | — | — | 2y ago | Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, a remote image with a malicious attachment can cause denial of service of the host machine running C… | |||
| CVE-2024-31861 | unknown | — | — | 2y ago | Code injection in Apache Zeppelin Shell | |||
| CVE-2024-31997 | unknown | — | — | 2y ago | XWiki Platform remote code execution from account through UIExtension parameters | |||
| CVE-2024-31996 | unknown | — | — | 2y ago | XWiki Commons missing escaping of `{` in Velocity escapetool allows remote code execution | |||
| CVE-2024-31988 | unknown | — | — | 2y ago | XWiki Platform CSRF remote code execution through the realtime HTML Converter API | |||
| CVE-2024-31987 | unknown | — | — | 2y ago | XWiki Platform remote code execution from account via custom skins support | |||
| CVE-2024-31986 | unknown | — | — | 2y ago | XWiki Platform CSRF remote code execution through scheduler job's document reference | |||
| CVE-2024-31985 | unknown | — | — | 2y ago | XWiki Platform CSRF in the job scheduler | |||
| CVE-2024-31984 | unknown | — | — | 2y ago | XWiki Platform: Remote code execution through space title and Solr space facet | |||
| CVE-2024-31983 | unknown | — | — | 2y ago | XWiki Platform: Remote code execution from edit in multilingual wikis via translations | |||
| CVE-2024-31982 | unknown | — | — | 2y ago | XWiki Platform: Remote code execution as guest via DatabaseSearch | |||
| CVE-2024-31981 | unknown | — | — | 2y ago | XWiki Platform: Privilege escalation (PR) from user registration through PDFClass | |||
| CVE-2024-31465 | unknown | — | — | 2y ago | XWiki Platform: Remote code execution from account via SearchSuggestSourceSheet | |||
| CVE-2024-31464 | unknown | — | — | 2y ago | XWiki Platform: Password hash might be leaked by diff once the xobject holding them is deleted | |||
| CVE-2024-31867 | unknown | — | — | 2y ago | Apache Zeppelin: LDAP search filter query Injection Vulnerability | |||
| CVE-2024-31865 | unknown | — | — | 2y ago | Apache Zeppelin: Cron arbitrary user impersonation with improper privileges | |||
| CVE-2024-31868 | unknown | — | — | 2y ago | Apache Zeppelin vulnerable to cross-site scripting in the helium module | |||
| CVE-2024-31866 | unknown | — | — | 2y ago | Improper escaping in Apache Zeppelin | |||
| CVE-2024-31864 | unknown | — | — | 2y ago | Apache Zeppelin remote code execution by adding malicious JDBC connection string | |||
| CVE-2024-3046 | unknown | — | — | 2y ago | Eclipse Kura LogServlet vulnerability | |||
| CVE-2024-31862 | unknown | — | — | 2y ago | Apache Zeppelin: Denial of service with invalid notebook name | |||
| CVE-2024-31863 | unknown | — | — | 2y ago | Apache Zeppelin: Replacing other users notebook, bypassing any permissions | |||
| CVE-2024-31860 | unknown | — | — | 2y ago | Apache Zeppelin Path Traversal vulnerability | |||
| CVE-2024-1233 | unknown | — | — | 2y ago | WildFly Elytron: SSRF security issue | |||
| CVE-2024-3366 | unknown | — | — | 2y ago | Xuxueli xxl-job template injection vulnerability | |||
| CVE-2024-2700 | unknown | — | — | 2y ago | quarkus-core leaks local environment variables from Quarkus namespace during application's build | |||
| CVE-2024-30261 | unknown | — | — | 2y ago | Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been… | |||
| CVE-2024-30260 | unknown | — | — | 2y ago | Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnera… | |||
| CVE-2024-29834 | unknown | — | — | 2y ago | Apache Pulsar: Improper Authorization For Namespace and Topic Management Endpoints | |||
| CVE-2024-1300 | unknown | — | — | 2y ago | Eclipse Vert.x vulnerable to a memory leak in TCP servers | |||
| CVE-2024-27609 | unknown | — | — | 2y ago | Bonita cross-site scripting vulnerability | |||
| CVE-2024-23449 | unknown | — | — | 2y ago | Elasticsearch Uncaught Exception leading to crash | |||
| CVE-2024-23451 | unknown | — | — | 2y ago | Elasticsearch Incorrect Authorization vulnerability | |||
| CVE-2024-23450 | unknown | — | — | 2y ago | Elasticsearch Uncontrolled Resource Consumption vulnerability | |||
| CVE-2024-1023 | unknown | — | — | 2y ago | Eclipse Vert.x memory leak | |||
| CVE-2024-25421 | unknown | — | — | 2y ago | Ignite Realtime Openfire privilege escalation vulnerability | |||
| CVE-2024-25420 | unknown | — | — | 2y ago | Ignite Realtime Openfire privilege escalation vulnerability | |||
| CVE-2024-29025 | unknown | — | — | 2y ago | Netty's HttpPostRequestDecoder can OOM | |||
| CVE-2024-29133 | unknown | — | — | 2y ago | Apache Commons Configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree | |||
| CVE-2024-29131 | unknown | — | — | 2y ago | Apache Commons Configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator() | |||
| CVE-2024-29018 | unknown | — | — | 2y ago | Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows … | |||
| CVE-2024-22258 | unknown | — | — | 2y ago | Improper Authentication in Spring Authorization Server | |||
| CVE-2024-23821 | unknown | — | — | 2y ago | GeoServer's GWC Demos Page vulnerable to Stored Cross-Site Scripting (XSS) | |||
| CVE-2024-23819 | unknown | — | — | 2y ago | GeoServer's MapML HTML Page vulnerable to Stored Cross-Site Scripting (XSS) | |||
| CVE-2024-23818 | unknown | — | — | 2y ago | GeoServer's WMS OpenLayers Format vulnerable to Stored Cross-Site Scripting (XSS) | |||
| CVE-2024-23643 | unknown | — | — | 2y ago | GeoServer's GWC Seed Form vulnerable to Stored Cross-Site Scripting (XSS) | |||
| CVE-2024-23642 | unknown | — | — | 2y ago | GeoServer's Simple SVG Renderer vulnerable to Stored Cross-Site Scripting (XSS) | |||
| CVE-2024-23640 | unknown | — | — | 2y ago | GeoServer's Style Publisher vulnerable to Stored Cross-Site Scripting (XSS) | |||
| CVE-2024-23634 | unknown | — | — | 2y ago | GeoServer Arbitrary file renaming vulnerability in REST Coverage/Data Store API | |||
| CVE-2024-27439 | unknown | — | — | 2y ago | Cross-Site Request Forgery in Apache Wicket | |||
| CVE-2024-24683 | unknown | — | — | 2y ago | Improper Input Validation vulnerability in Apache Hop Engine | |||
| CVE-2024-24042 | unknown | — | — | 2y ago | Path traversal in flaskcode Devan-Kerman ARRP | |||
| CVE-2024-22257 | unknown | — | — | 2y ago | Erroneous authentication pass in Spring Security | |||
| CVE-2024-28128 | unknown | — | — | 2y ago | FitNesse Cross-site Scripting vulnerability | |||
| CVE-2024-28125 | unknown | — | — | 2y ago | FitNesse allows execution of arbitrary OS commands | |||
| CVE-2024-22259 | unknown | — | — | 2y ago | Spring Framework URL Parsing with Host Validation Vulnerability | |||
| CVE-2024-27351 | unknown | — | — | 2y ago | In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a poten… | |||
| CVE-2024-28752 | unknown | — | — | 2y ago | SSRF vulnerability using the Aegis DataBinding in Apache CXF | |||
| CVE-2024-23944 | unknown | — | — | 2y ago | Apache ZooKeeper vulnerable to information disclosure in persistent watchers handling | |||
| CVE-2024-1979 | unknown | — | — | 2y ago | In Quarkus, git credentials could be inadvertently published |