2022 Security Vulnerability Report
CVE Statistics for 2022
There were 25237 security vulnerabilities (CVEs) published in 2022. In 2021 there were 21115.
The average severity was 7.2 out of 10, up by 0.1 from 2021.
The average severity was 7.2 out of 10, up by 0.1 from 2021.
Products & Vendors with the most security vulnerabilities published in 2022 Vulnerabilities may exist in multiple products or vendors
By Product
By Vendor
By Weakness
#1
XSS
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
3241
#2
Memory Corruption
The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.
2051
#3
SQL Injection
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
1755
#4
Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. A crash can occur when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string. The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results.
779
#5
Directory traversal
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
712
#6
Session Riding
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.
701
#7
Dangling pointer
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
685
#8
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
546
#9
Shell injection
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
546
#10
Unrestricted File Upload
The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
462
#11
AuthZ
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
432
#12
Classic Buffer Overflow
The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold, or when a program attempts to put data in a memory area outside of the boundaries of a buffer. The simplest type of error, and the most common cause of buffer overflows, is the "classic" case in which the program copies the buffer without restricting how much is copied. Other variants exist, but the existence of a classic overflow strongly suggests that the programmer is not considering even the most basic of security protections.
399
#13
NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions.
371
#14
authentification
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
336
#15
AuthZ
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
225
#16
Race Condition
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
222
#17
Integer Overflow or Wraparound
The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. An integer overflow or wraparound occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may wrap to become a very small or negative number. While this may be intended behavior in circumstances that rely on wrapping, it can have security consequences if the wrap is unexpected. This is especially the case if the integer overflow can be triggered using user-supplied inputs. This becomes security-critical when the result is used to control looping, make a security decision, or determine the offset or size in behaviors such as memory allocation, copying, concatenation, etc.
219
#18
Buffer Overflow
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
210
#19
SSRF
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts in internal networks, use other URLs such as that can access documents on the system (using file://), or use other protocols such as gopher:// or tftp://, which may provide greater control over the contents of requests.
203
#20
Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
195
#21
Use of Hard-coded Credentials
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
193
#22
Command Injection
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
192
#23
Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
189
#24
Information Disclosure
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
187
#25
Incorrect Default Permissions
During installation, installed file permissions are set to allow anyone to modify those files.
176
2022 Known Exploited Vulnerabilities
These vulnerabilities may be considered some of the most dangerous vulnerabilities of 2022, because they are both known to have been exploited and have a high severity score. In fact 9 vulnerabilities scored the highest possible CVSS base score, of 10.
10.0
VMware Spring Cloud Gateway Code Injection Vulnerability
CVE-2022-22947 vulnerability in Spring Cloud Gateway, disclosed on March 3, 2022
CVE-2022-22947 vulnerability in Spring Cloud Gateway, disclosed on March 3, 2022
10.0
Debian-specific Redis Server Lua Sandbox Escape Vulnerability
CVE-2022-0543 vulnerability in Debian-specific Redis Servers, disclosed on February 18, 2022
CVE-2022-0543 vulnerability in Debian-specific Redis Servers, disclosed on February 18, 2022
10.0
GeoSolutionsGroup JAI-EXT Code Injection Vulnerability
CVE-2022-24816 vulnerability in JAI-EXT, disclosed on April 13, 2022
CVE-2022-24816 vulnerability in JAI-EXT, disclosed on April 13, 2022
10.0
Externally Controlled Reference RCE in Photo Station (QTS5.0.1)
CVE-2022-27593 vulnerability in Photo Station, disclosed on September 8, 2022
CVE-2022-27593 vulnerability in Photo Station, disclosed on September 8, 2022
10.0
Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability
CVE-2022-20699 vulnerability in Small Business RV160, RV260, RV340, and RV345 Series Routers, disclosed on February 10, 2022
CVE-2022-20699 vulnerability in Small Business RV160, RV260, RV340, and RV345 Series Routers, disclosed on February 10, 2022
10.0
Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability
CVE-2022-20700 vulnerability in Small Business RV160, RV260, RV340, and RV345 Series Routers, disclosed on February 10, 2022
CVE-2022-20700 vulnerability in Small Business RV160, RV260, RV340, and RV345 Series Routers, disclosed on February 10, 2022
10.0
Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability
CVE-2022-20708 vulnerability in Small Business RV160, RV260, RV340, and RV345 Series Routers, disclosed on February 10, 2022
CVE-2022-20708 vulnerability in Small Business RV160, RV260, RV340, and RV345 Series Routers, disclosed on February 10, 2022
10.0
Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability
CVE-2022-20701 vulnerability in Small Business RV160, RV260, RV340, and RV345 Series Routers, disclosed on February 10, 2022
CVE-2022-20701 vulnerability in Small Business RV160, RV260, RV340, and RV345 Series Routers, disclosed on February 10, 2022
10.0
Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability
CVE-2022-20703 vulnerability in Small Business RV160, RV260, RV340, and RV345 Series Routers, disclosed on February 10, 2022
CVE-2022-20703 vulnerability in Small Business RV160, RV260, RV340, and RV345 Series Routers, disclosed on February 10, 2022
9.8
Cacti Remote Agent Command Injection (poller_item) fixed in 1.2.23
CVE-2022-46169 vulnerability in Cacti, disclosed on December 5, 2022
CVE-2022-46169 vulnerability in Cacti, disclosed on December 5, 2022
9.8
VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability
CVE-2022-22963 vulnerability in Spring Cloud, disclosed on April 1, 2022
CVE-2022-22963 vulnerability in Spring Cloud, disclosed on April 1, 2022
9.8
F5 BIG-IP Missing Authentication Vulnerability
CVE-2022-1388 vulnerability in BIG-IP, disclosed on May 5, 2022
CVE-2022-1388 vulnerability in BIG-IP, disclosed on May 5, 2022
9.8
Zyxel Multiple Firewalls OS Command Injection Vulnerability
CVE-2022-30525 vulnerability in Multiple Firewalls, disclosed on May 12, 2022
CVE-2022-30525 vulnerability in Multiple Firewalls, disclosed on May 12, 2022
9.8
VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability
CVE-2022-22954 vulnerability in Workspace ONE Access and Identity Manager, disclosed on April 11, 2022
CVE-2022-22954 vulnerability in Workspace ONE Access and Identity Manager, disclosed on April 11, 2022
9.8
Sophos Firewall Authentication Bypass Vulnerability
CVE-2022-1040 vulnerability in Firewall , disclosed on March 25, 2022
CVE-2022-1040 vulnerability in Firewall , disclosed on March 25, 2022
9.8
Apache APISIX Authentication Bypass Vulnerability
CVE-2022-24112 vulnerability in APISIX, disclosed on February 11, 2022
CVE-2022-24112 vulnerability in APISIX, disclosed on February 11, 2022
9.8
WSO2 Multiple Products Unrestrictive Upload of File Vulnerability
CVE-2022-29464 vulnerability in Multiple Products, disclosed on April 18, 2022
CVE-2022-29464 vulnerability in Multiple Products, disclosed on April 18, 2022
9.8
Spring Framework JDK 9+ Remote Code Execution Vulnerability
CVE-2022-22965 vulnerability in Spring Framework, disclosed on April 1, 2022
CVE-2022-22965 vulnerability in Spring Framework, disclosed on April 1, 2022
9.8
Fortinet FortiOS/Proxy/SwitchMgr Auth Bypass v7.0.0-7.2.1 via alt path
CVE-2022-40684 vulnerability in Multiple Products, disclosed on October 18, 2022
CVE-2022-40684 vulnerability in Multiple Products, disclosed on October 18, 2022
9.8
Confluence Server and Data Center Remote Code Execution Vulnerability
CVE-2022-26134 vulnerability in Confluence Server/Data Center, disclosed on June 3, 2022
CVE-2022-26134 vulnerability in Confluence Server/Data Center, disclosed on June 3, 2022
9.8
Oracle Web Applications Desktop Integrator <12.2.11 Unauth Remote RCE via Upload
CVE-2022-21587 vulnerability in E-Business Suite, disclosed on October 18, 2022
CVE-2022-21587 vulnerability in E-Business Suite, disclosed on October 18, 2022
9.8
GLPI <=10.0.2 PHP code injection via htmLawed module
CVE-2022-35914 vulnerability in GLPI, disclosed on September 19, 2022
CVE-2022-35914 vulnerability in GLPI, disclosed on September 19, 2022
9.8
SolarView Compact Command Injection Vulnerability
CVE-2022-29303 vulnerability in Compact, disclosed on May 12, 2022
CVE-2022-29303 vulnerability in Compact, disclosed on May 12, 2022
9.8
Apache CouchDB Insecure Default Initialization of Resource Vulnerability
CVE-2022-24706 vulnerability in CouchDB, disclosed on April 26, 2022
CVE-2022-24706 vulnerability in CouchDB, disclosed on April 26, 2022
9.8
Zimbra C7 RCE via mboximport Zip Extraction Auth Bypass (pre-8.8.15/9.0)
CVE-2022-37042 vulnerability in Collaboration, disclosed on August 12, 2022
CVE-2022-37042 vulnerability in Collaboration, disclosed on August 12, 2022
9.8
Atlassian Questions For Confluence App Hard-coded Credentials Vulnerability
CVE-2022-26138 vulnerability in Confluence, disclosed on July 20, 2022
CVE-2022-26138 vulnerability in Confluence, disclosed on July 20, 2022
9.8
dotCMS Unrestricted Upload of File Vulnerability
CVE-2022-26352 vulnerability in dotCMS, disclosed on July 17, 2022
CVE-2022-26352 vulnerability in dotCMS, disclosed on July 17, 2022
9.8
Oracle Fusion Middleware Unspecified Vulnerability
CVE-2021-35587 vulnerability in Fusion Middleware, disclosed on January 19, 2022
CVE-2021-35587 vulnerability in Fusion Middleware, disclosed on January 19, 2022
9.8
D-Link Multiple Routers Remote Code Execution Vulnerability
CVE-2021-45382 vulnerability in Multiple Routers, disclosed on February 17, 2022
CVE-2021-45382 vulnerability in Multiple Routers, disclosed on February 17, 2022
9.8
Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability
CVE-2022-35405 vulnerability in ManageEngine, disclosed on July 19, 2022
CVE-2022-35405 vulnerability in ManageEngine, disclosed on July 19, 2022
9.8
Zimbra (ZCS) 8.8.15/9.0 File Upload via amavis Cpio Loophole
CVE-2022-41352 vulnerability in Collaboration (ZCS), disclosed on September 26, 2022
CVE-2022-41352 vulnerability in Collaboration (ZCS), disclosed on September 26, 2022
9.8
SAP Multiple Products HTTP Request Smuggling Vulnerability
CVE-2022-22536 vulnerability in Multiple Products, disclosed on February 9, 2022
CVE-2022-22536 vulnerability in Multiple Products, disclosed on February 9, 2022
9.8
Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability
CVE-2022-24086 vulnerability in Commerce and Magento Open Source, disclosed on February 16, 2022
CVE-2022-24086 vulnerability in Commerce and Magento Open Source, disclosed on February 16, 2022
9.8
Code Injection in Sophos Firewall v19.0 MR1 and older User Portal/Webadmin
CVE-2022-3236 vulnerability in Firewall, disclosed on September 23, 2022
CVE-2022-3236 vulnerability in Firewall, disclosed on September 23, 2022
9.8
WatchGuard Firebox and XTM Appliances Arbitrary Code Execution
CVE-2022-26318 vulnerability in Firebox and XTM Appliances, disclosed on March 4, 2022
CVE-2022-26318 vulnerability in Firebox and XTM Appliances, disclosed on March 4, 2022
9.8
Cmd Injection in D-Link DSL-2750B login.cgi (before 1.05)
CVE-2016-20017 vulnerability in DSL-2750B Devices, disclosed on October 19, 2022
CVE-2016-20017 vulnerability in DSL-2750B Devices, disclosed on October 19, 2022
9.8
Oracle JDeveloper Remote Code Execution Vulnerability
CVE-2022-21445 vulnerability in JDeveloper, disclosed on April 19, 2022
CVE-2022-21445 vulnerability in JDeveloper, disclosed on April 19, 2022
9.8
MiCollab, MiVoice Business Express Access Control Vulnerability
CVE-2022-26143 vulnerability in MiCollab, MiVoice Business Express, disclosed on March 10, 2022
CVE-2022-26143 vulnerability in MiCollab, MiVoice Business Express, disclosed on March 10, 2022
9.8
Mitel MiVoice Connect Data Validation Vulnerability
CVE-2022-29499 vulnerability in MiVoice Connect, disclosed on April 26, 2022
CVE-2022-29499 vulnerability in MiVoice Connect, disclosed on April 26, 2022
9.8
D-Link DIR-820L Remote Code Execution Vulnerability
CVE-2022-26258 vulnerability in DIR-820L, disclosed on March 28, 2022
CVE-2022-26258 vulnerability in DIR-820L, disclosed on March 28, 2022
9.8
D-Link Go-RT-AC750 Buffer Overflow via cgibin, hnap_main
CVE-2022-37055 vulnerability in Routers, disclosed on August 28, 2022
CVE-2022-37055 vulnerability in Routers, disclosed on August 28, 2022
9.8
Veeam Backup & Replication Remote Code Execution Vulnerability
CVE-2022-26501 vulnerability in Backup & Replication, disclosed on March 17, 2022
CVE-2022-26501 vulnerability in Backup & Replication, disclosed on March 17, 2022
9.8
NUUO NVRmini 2 Devices Missing Authentication Vulnerability
CVE-2022-23227 vulnerability in NVRmini2 Devices, disclosed on January 14, 2022
CVE-2022-23227 vulnerability in NVRmini2 Devices, disclosed on January 14, 2022
9.8
Unauthenticated Remote Arbitrary Code Execution (CVE-2022-27518)
CVE-2022-27518 vulnerability in Application Delivery Controller (ADC) and Gateway, disclosed on December 13, 2022
CVE-2022-27518 vulnerability in Application Delivery Controller (ADC) and Gateway, disclosed on December 13, 2022
9.8
Trend Micro Apex Central Arbitrary File Upload Vulnerability
CVE-2022-26871 vulnerability in Apex Central , disclosed on March 29, 2022
CVE-2022-26871 vulnerability in Apex Central , disclosed on March 29, 2022
9.8
Netwrix Auditor RCE via USER ACTIVITY VIDEO RECORDB protocol abuse
CVE-2022-31199 vulnerability in Auditor, disclosed on November 8, 2022
CVE-2022-31199 vulnerability in Auditor, disclosed on November 8, 2022
9.8
Apple Memory Corruption Vulnerability
CVE-2022-22587 vulnerability in iOS and macOS, disclosed on March 18, 2022
CVE-2022-22587 vulnerability in iOS and macOS, disclosed on March 18, 2022
9.6
Firefox <97.0.2: WebGPU IPC UAF Sandbox Escape
CVE-2022-26486 vulnerability in Firefox, disclosed on December 22, 2022
CVE-2022-26486 vulnerability in Firefox, disclosed on December 22, 2022
9.6
Google Chrome <105.0.5195.102: Mojo Sandbox Escape via Crafted HTML
CVE-2022-3075 vulnerability in Chromium, disclosed on September 26, 2022
CVE-2022-3075 vulnerability in Chromium, disclosed on September 26, 2022
9.6
Heap Buffer Overflow in GPU in Chrome <107 allowing Sandbox Escape
CVE-2022-4135 vulnerability in Chrome, disclosed on November 25, 2022
CVE-2022-4135 vulnerability in Chrome, disclosed on November 25, 2022
9.1
Zabbix Frontend Authentication Bypass Vulnerability
CVE-2022-23131 vulnerability in Frontend, disclosed on January 13, 2022
CVE-2022-23131 vulnerability in Frontend, disclosed on January 13, 2022
8.8
Arbitrary Code Exec via API in Atlassian Bitbucket <=8.3.1
CVE-2022-36804 vulnerability in Bitbucket Server and Data Center, disclosed on August 25, 2022
CVE-2022-36804 vulnerability in Bitbucket Server and Data Center, disclosed on August 25, 2022
8.8
Oct 2022: Microsoft Exchange Server Elevation of Privilege Vulnerability
CVE-2022-41040 vulnerability in Exchange Server, disclosed on October 3, 2022
CVE-2022-41040 vulnerability in Exchange Server, disclosed on October 3, 2022
8.8
Nov 2022: Microsoft Exchange Server Elevation of Privilege Vulnerability
CVE-2022-41080 vulnerability in Exchange Server, disclosed on November 9, 2022
CVE-2022-41080 vulnerability in Exchange Server, disclosed on November 9, 2022
8.8
Apache Spark Command Injection Vulnerability
CVE-2022-33891 vulnerability in Spark, disclosed on July 18, 2022
CVE-2022-33891 vulnerability in Spark, disclosed on July 18, 2022
8.8
May 2022: Active Directory Domain Services Elevation of Privilege Vulnerability
CVE-2022-26923 vulnerability in Active Directory, disclosed on May 10, 2022
CVE-2022-26923 vulnerability in Active Directory, disclosed on May 10, 2022
8.8
Google Chromium V8 Type Confusion Vulnerability
CVE-2022-1096 vulnerability in Chromium V8, disclosed on July 23, 2022
CVE-2022-1096 vulnerability in Chromium V8, disclosed on July 23, 2022
8.8
Google Chrome Use-After-Free Vulnerability
CVE-2022-0609 vulnerability in Chrome, disclosed on April 5, 2022
CVE-2022-0609 vulnerability in Chrome, disclosed on April 5, 2022
8.8
Nov 2022: Windows Scripting Languages Remote Code Execution Vulnerability
CVE-2022-41128 vulnerability in Windows, disclosed on November 9, 2022
CVE-2022-41128 vulnerability in Windows, disclosed on November 9, 2022
8.8
Command Exec via Backup Config in D-Link DNR-322L <=2.60B15
CVE-2022-40799 vulnerability in DNR-322L, disclosed on November 29, 2022
CVE-2022-40799 vulnerability in DNR-322L, disclosed on November 29, 2022
8.8
UAF in Chrome Network Service before 105.0.5195.52
CVE-2022-3038 vulnerability in Chrome, disclosed on September 26, 2022
CVE-2022-3038 vulnerability in Chrome, disclosed on September 26, 2022
8.8
Arm Mali GPU Kernel Driver Unprivileged Freed Mem Access (CVE-2022-38181)
CVE-2022-38181 vulnerability in Mali Graphics Processing Unit (GPU), disclosed on October 25, 2022
CVE-2022-38181 vulnerability in Mali Graphics Processing Unit (GPU), disclosed on October 25, 2022
8.8
Veeam Backup & Replication Remote Code Execution Vulnerability
CVE-2022-26500 vulnerability in Backup & Replication, disclosed on March 17, 2022
CVE-2022-26500 vulnerability in Backup & Replication, disclosed on March 17, 2022
8.8
V8 Turbofan Type Confusion in Google Chrome <100.0.4896.127
CVE-2022-1364 vulnerability in Chromium V8 Engine, disclosed on July 26, 2022
CVE-2022-1364 vulnerability in Chromium V8 Engine, disclosed on July 26, 2022
8.8
WatchGuard Firebox and XTM Privilege Escalation Vulnerability
CVE-2022-23176 vulnerability in Firebox and XTM, disclosed on February 24, 2022
CVE-2022-23176 vulnerability in Firebox and XTM, disclosed on February 24, 2022
8.8
Firefox <97 + ESR <91.6.1 - XSLT Param Removal UAF
CVE-2022-26485 vulnerability in Firefox, disclosed on December 22, 2022
CVE-2022-26485 vulnerability in Firefox, disclosed on December 22, 2022
8.8
Google Chrome <108 V8 TypeConfusion Heap Corruption
CVE-2022-4262 vulnerability in Chromium V8 Engine, disclosed on December 2, 2022
CVE-2022-4262 vulnerability in Chromium V8 Engine, disclosed on December 2, 2022
8.8
Google Chromium V8 Use-After-Free Vulnerability
CVE-2021-4102 vulnerability in Chromium V8 Engine, disclosed on February 11, 2022
CVE-2021-4102 vulnerability in Chromium V8 Engine, disclosed on February 11, 2022
8.8
Apple Webkit Remote Code Execution Vulnerability
CVE-2022-22620 vulnerability in Webkit, disclosed on March 18, 2022
CVE-2022-22620 vulnerability in Webkit, disclosed on March 18, 2022
8.8
Chrome WebRTC Heap Overflow <103.0.5060.114
CVE-2022-2294 vulnerability in WebRTC, disclosed on July 28, 2022
CVE-2022-2294 vulnerability in WebRTC, disclosed on July 28, 2022
8.8
Chrome V8 Heap Corruption CVE-2022-3723 <107
CVE-2022-3723 vulnerability in Chromium V8 Engine, disclosed on November 1, 2022
CVE-2022-3723 vulnerability in Chromium V8 Engine, disclosed on November 1, 2022
8.8
Apple WebKit Type Confusion -> Exec (iOS <15.1)
CVE-2022-42856 vulnerability in iOS, disclosed on December 15, 2022
CVE-2022-42856 vulnerability in iOS, disclosed on December 15, 2022
8.8
Owl Labs Meeting Owl Use of Hard-coded Credentials Vulnerability
CVE-2022-31462 vulnerability in Meeting Owl, disclosed on June 2, 2022
CVE-2022-31462 vulnerability in Meeting Owl, disclosed on June 2, 2022
8.8
OWB Write in Safari WebKit <15.6.1: Arbitrary Code Exec
CVE-2022-32893 vulnerability in iOS and macOS, disclosed on August 24, 2022
CVE-2022-32893 vulnerability in iOS and macOS, disclosed on August 24, 2022
8.6
Palo Alto PAN-OS URL Filtering Misconfig Enables RDoS Attack
CVE-2022-0028 vulnerability in PAN-OS, disclosed on August 10, 2022
CVE-2022-0028 vulnerability in PAN-OS, disclosed on August 10, 2022
8.4
Linux Kernel Heap-Based Buffer Overflow
CVE-2022-0185 vulnerability in Kernel, disclosed on February 11, 2022
CVE-2022-0185 vulnerability in Kernel, disclosed on February 11, 2022
8.4
Qualcomm Multiple Chipsets Use-After-Free Vulnerability
CVE-2022-22071 vulnerability in Multiple Chipsets, disclosed on June 14, 2022
CVE-2022-22071 vulnerability in Multiple Chipsets, disclosed on June 14, 2022
8.1
May 2022: Windows LSA Spoofing Vulnerability
CVE-2022-26925 vulnerability in Windows, disclosed on May 10, 2022
CVE-2022-26925 vulnerability in Windows, disclosed on May 10, 2022
8.0
Oct 2022: Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2022-41082 vulnerability in Exchange Server, disclosed on October 3, 2022
CVE-2022-41082 vulnerability in Exchange Server, disclosed on October 3, 2022
7.8
Jun 2022: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
CVE-2022-30190 vulnerability in Windows, disclosed on June 1, 2022
CVE-2022-30190 vulnerability in Windows, disclosed on June 1, 2022
7.8
Red Hat Polkit Out-of-Bounds Read and Write Vulnerability
CVE-2021-4034 vulnerability in Polkit, disclosed on January 28, 2022
CVE-2021-4034 vulnerability in Polkit, disclosed on January 28, 2022
7.8
Feb 2022: Windows Runtime Remote Code Execution Vulnerability
CVE-2022-21971 vulnerability in Windows, disclosed on February 9, 2022
CVE-2022-21971 vulnerability in Windows, disclosed on February 9, 2022
7.8
Linux Kernel Privilege Escalation Vulnerability
CVE-2022-0847 vulnerability in Kernel, disclosed on March 10, 2022
CVE-2022-0847 vulnerability in Kernel, disclosed on March 10, 2022
7.8
VMware Multiple Products Privilege Escalation Vulnerability
CVE-2022-22960 vulnerability in Multiple Products, disclosed on April 13, 2022
CVE-2022-22960 vulnerability in Multiple Products, disclosed on April 13, 2022
7.8
Feb 2022: Windows Print Spooler Elevation of Privilege Vulnerability
CVE-2022-21999 vulnerability in Windows, disclosed on February 9, 2022
CVE-2022-21999 vulnerability in Windows, disclosed on February 9, 2022
7.8
Apple Bonjour mDNSResponder.exe DLL Sideloading Vulnerability CVE-2022-23748
CVE-2022-23748 vulnerability in Dante Discovery, disclosed on November 17, 2022
CVE-2022-23748 vulnerability in Dante Discovery, disclosed on November 17, 2022
7.8
Sep 2022: Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2022-37969 vulnerability in Windows, disclosed on September 13, 2022
CVE-2022-37969 vulnerability in Windows, disclosed on September 13, 2022
7.8
Apr 2022: Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2022-24521 vulnerability in Windows, disclosed on April 15, 2022
CVE-2022-24521 vulnerability in Windows, disclosed on April 15, 2022
7.8
Feb 2022: Windows Print Spooler Elevation of Privilege Vulnerability
CVE-2022-22718 vulnerability in Windows, disclosed on February 9, 2022
CVE-2022-22718 vulnerability in Windows, disclosed on February 9, 2022
7.8
Red Hat Polkit Incorrect Authorization Vulnerability
CVE-2021-3560 vulnerability in Polkit, disclosed on February 16, 2022
CVE-2021-3560 vulnerability in Polkit, disclosed on February 16, 2022
7.8
Oct 2022: Windows Print Spooler Elevation of Privilege Vulnerability
CVE-2022-38028 vulnerability in Windows, disclosed on October 11, 2022
CVE-2022-38028 vulnerability in Windows, disclosed on October 11, 2022
7.8
Aug 2022: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
CVE-2022-34713 vulnerability in Windows, disclosed on August 9, 2022
CVE-2022-34713 vulnerability in Windows, disclosed on August 9, 2022
7.8
Nov 2022: Windows Print Spooler Elevation of Privilege Vulnerability
CVE-2022-41073 vulnerability in Windows, disclosed on November 9, 2022
CVE-2022-41073 vulnerability in Windows, disclosed on November 9, 2022
7.8
Oct 2022: Windows COM+ Event System Service Elevation of Privilege Vulnerability
CVE-2022-41033 vulnerability in Windows COM+ Event System Service, disclosed on October 11, 2022
CVE-2022-41033 vulnerability in Windows COM+ Event System Service, disclosed on October 11, 2022
7.8
Jul 2022: Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability
CVE-2022-22047 vulnerability in Windows, disclosed on July 12, 2022
CVE-2022-22047 vulnerability in Windows, disclosed on July 12, 2022
7.8
Apple macOS Out-of-Bounds Write Vulnerability
CVE-2022-22675 vulnerability in macOS, disclosed on May 26, 2022
CVE-2022-22675 vulnerability in macOS, disclosed on May 26, 2022
7.8
Nov 2022: Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
CVE-2022-41125 vulnerability in Windows, disclosed on November 9, 2022
CVE-2022-41125 vulnerability in Windows, disclosed on November 9, 2022
7.8
Apple macOS/iOS Kernel Priv Escalation (Bounds Check Bypass) before 12.6/15.7
CVE-2022-32917 vulnerability in iOS, iPadOS, and macOS, disclosed on September 20, 2022
CVE-2022-32917 vulnerability in iOS, iPadOS, and macOS, disclosed on September 20, 2022
7.8
CVE-2022-20775: Privilege Escalation via Improper CLI Access in Cisco SD-Wan
CVE-2022-20775 vulnerability in SD-WAN, disclosed on September 30, 2022
CVE-2022-20775 vulnerability in SD-WAN, disclosed on September 30, 2022
7.8
Apple IOS/iPadOS/macos Kernel OOB Write Kernel Exec (before 15.6.1/12.5.1)
CVE-2022-32894 vulnerability in iOS and macOS, disclosed on August 24, 2022
CVE-2022-32894 vulnerability in iOS and macOS, disclosed on August 24, 2022
Report Last Updated: April 23, 2026