Skip to main content
CVE-2022-22965 CRITICAL POC KEV PATCH THREAT Act Now

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Java RCE Code Injection Tomcat Spring Framework +37
NVD
CVSS 3.1
9.8
EPSS
99.7%
CVE-2022-22963 CRITICAL POC KEV PATCH THREAT Act Now

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Java RCE Code Injection Spring Cloud Function Banking Branch +26
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
99.9%
CVE-2022-26562 CRITICAL POC Act Now

An issue in provider/libserver/ECKrbAuth.cpp of Kopano Core <= v11.0.2.51 contains an issue which allows attackers to authenticate even if the user account or password is expired. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Groupware Core
NVD GitHub
CVSS 3.1
9.8
EPSS
2.1%
CVE-2022-24066 CRITICAL POC PATCH Act Now

The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Command Injection Simple Git
NVD GitHub
CVSS 3.1
9.8
EPSS
4.1%
CVE-2022-24803 CRITICAL POC PATCH Act Now

Asciidoctor-include-ext is Asciidoctor’s standard include processor reimplemented as an extension. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Command Injection Asciidoctor Include Ext
NVD GitHub
CVSS 3.1
9.8
EPSS
2.7%
CVE-2022-25017 HIGH POC THREAT This Week

Hitron CHITA 7.2.2.0.3b6-CD devices contain a command injection vulnerability via the Device/DDNS ddnsUsername field. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Chita Firmware
NVD GitHub
CVSS 3.1
8.8
EPSS
29.1%
CVE-2022-1207 MEDIUM POC PATCH This Month

Out-of-bounds read in GitHub repository radareorg/radare2 prior to 5.6.8. Rated medium severity (CVSS 6.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Information Disclosure Radare2
NVD GitHub
CVSS 3.1
6.6
EPSS
0.9%
CVE-2022-21830 MEDIUM POC PATCH This Month

A blind self XSS vulnerability exists in RocketChat LiveChat <v1.9 that could allow an attacker to trick a victim pasting malicious code in their chat instance. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Livechat
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-24181 MEDIUM POC This Month

Cross-site scripting (XSS) via Host Header injection in PKP Open Journals System 2.4.8 >= 3.3 allows remote attackers to inject arbitary code via the X-Forwarded-Host Header. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Open Journal Systems
NVD GitHub Exploit-DB
CVSS 3.1
6.1
EPSS
6.1%
CVE-2022-22570 CRITICAL Act Now

A buffer overflow vulnerability found in the UniFi Door Access Reader Lite’s (UA Lite) firmware (Version 3.8.28.24 and earlier) allows a malicious actor who has gained access to a network to control. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Ubiquiti Ua Lite Firmware
NVD
CVSS 3.1
10.0
EPSS
1.0%
CVE-2022-27534 CRITICAL Act Now

Kaspersky Anti-Virus products for home and Kaspersky Endpoint Security with antivirus databases released before 12 March 2022 had a bug in a data parsing module that potentially allowed an attacker. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Anti Virus Endpoint Security Internet Security Security Cloud +2
NVD
CVSS 3.1
9.8
EPSS
3.0%
CVE-2022-27177 CRITICAL PATCH Act Now

A Python format string issue leading to information disclosure and potentially remote code execution in ConsoleMe for all versions prior to 1.2.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Python Information Disclosure Consoleme
NVD GitHub
CVSS 3.1
9.8
EPSS
2.1%
CVE-2022-24440 CRITICAL PATCH Act Now

The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Command Injection Cocoapods Downloader
NVD GitHub
CVSS 3.1
9.8
EPSS
2.7%
CVE-2022-21223 CRITICAL PATCH Act Now

The package cocoapods-downloader before 1.6.2 are vulnerable to Command Injection via hg argument injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Command Injection Cocoapods Downloader
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
CVE-2022-21235 CRITICAL PATCH Act Now

The package github.com/masterminds/vcs before 1.13.3 are vulnerable to Command Injection via argument injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Command Injection Vcs
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
CVE-2022-24802 CRITICAL PATCH Act Now

deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Deepmerge Ts
NVD GitHub
CVSS 3.1
9.8
EPSS
1.6%
CVE-2022-0489 MEDIUM POC This Month

An issue has been discovered in GitLab CE/EE affecting all versions starting with 8.15 . Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Gitlab
NVD
CVSS 3.1
5.7
EPSS
1.5%
CVE-2022-25158 CRITICAL Act Now

Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Fx5Uc Firmware Fx5Uc 32Mr Ds Ts Firmware Fx5Uc 32Mt D Firmware Fx5Uc 32Mt Dss Firmware +12
NVD
CVSS 3.1
9.1
EPSS
1.3%
CVE-2022-25157 CRITICAL Act Now

Use of Password Hash Instead of Password for Authentication vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Fx5Uc Firmware Fx5Uc 32Mr Ds Ts Firmware Fx5Uc 32Mt D Firmware Fx5Uc 32Mt Dss Firmware +12
NVD
CVSS 3.1
9.1
EPSS
2.3%
CVE-2022-26565 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in Totaljs all versions before commit 95f54a5commit, allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Content Management System
NVD GitHub
CVSS 3.1
4.8
EPSS
0.5%
CVE-2022-21947 HIGH This Week

A Exposure of Resource to Wrong Sphere vulnerability in Rancher Desktop of SUSE allows attackers in the local network to connect to the Dashboard API (steve) to carry out arbitrary actions. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Rancher Desktop
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2022-0390 MEDIUM POC This Month

Improper access control in Gitlab CE/EE versions 12.7 to 14.5.4, 14.6 to 14.6.4, and 14.7 to 14.7.1 allowed for project non-members to retrieve issue details when it was linked to an item from the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Gitlab
NVD
CVSS 3.1
4.3
EPSS
0.9%
CVE-2022-0373 MEDIUM POC This Month

Improper access control in GitLab CE/EE versions 12.4 to 14.5.4, 14.5 to 14.6.4, and 12.6 to 14.7.1 allows project non-members to retrieve the service desk email address. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Gitlab Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.9%
CVE-2022-25159 HIGH This Week

Authentication Bypass by Capture-replay vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Fx5Uc Firmware Fx5Uc 32Mr Ds Ts Firmware Fx5Uc 32Mt D Firmware Fx5Uc 32Mt Dss Firmware +12
NVD
CVSS 3.1
8.1
EPSS
2.1%
CVE-2022-25156 HIGH This Week

Use of Weak Hash vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Fx5Uc Firmware Fx5Uc 32Mr Ds Ts Firmware Fx5Uc 32Mt D Firmware Fx5Uc 32Mt Dss Firmware +12
NVD
CVSS 3.1
8.1
EPSS
1.2%
CVE-2022-25155 HIGH This Week

Use of Password Hash Instead of Password for Authentication vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Fx5Uc Firmware Fx5Uc 32Mr Ds Ts Firmware Fx5Uc 32Mt D Firmware Fx5Uc 32Mt Dss Firmware +12
NVD
CVSS 3.1
8.1
EPSS
2.1%
CVE-2022-26419 HIGH This Week

Omron CX-Position (versions 2.5.3 and prior) is vulnerable to multiple stack-based buffer overflow conditions while parsing a specific project file, which may allow an attacker to locally execute. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Stack Overflow Buffer Overflow Cx Position
NVD
CVSS 3.1
7.8
EPSS
2.0%
CVE-2022-26417 HIGH This Week

Omron CX-Position (versions 2.5.3 and prior) is vulnerable to a use after free memory condition while processing a specific project file, which may allow an attacker to execute arbitrary code. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Memory Corruption RCE Use After Free Cx Position
NVD
CVSS 3.1
7.8
EPSS
1.4%
CVE-2022-26022 HIGH This Week

Omron CX-Position (versions 2.5.3 and prior) is vulnerable to an out-of-bounds write while processing a specific project file, which may allow an attacker to execute arbitrary code. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Buffer Overflow Cx Position
NVD
CVSS 3.1
7.8
EPSS
1.4%
CVE-2022-25959 HIGH This Week

Omron CX-Position (versions 2.5.3 and prior) is vulnerable to memory corruption while processing a specific project file, which may allow an attacker to execute arbitrary code. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Buffer Overflow Cx Position
NVD
CVSS 3.1
7.8
EPSS
1.4%
CVE-2022-1098 HIGH This Week

Delta Electronics DIAEnergie (all versions prior to 1.8.02.004) are vulnerable to a DLL hijacking condition. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Diaenergie
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2022-24426 HIGH PATCH This Week

Dell Command | Update, Dell Update, and Alienware Update version 4.4.0 contains a Local Privilege Escalation Vulnerability in the Advanced Driver Restore component. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Privilege Escalation Dell Alienware Update Command Update Update
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2022-0425 HIGH This Week

A DNS rebinding vulnerability in the Irker IRC Gateway integration in all versions of GitLab CE/EE since version 7.9 allows an attacker to trigger Server Side Request Forgery (SSRF) attacks. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Gitlab
NVD
CVSS 3.1
7.6
EPSS
0.6%
CVE-2022-1068 HIGH PATCH This Week

Modbus Tools Modbus Slave (versions 7.4.2 and prior) is vulnerable to a stack-based buffer overflow in the registration field. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Stack Overflow Buffer Overflow Modbus Slave
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2022-0741 HIGH This Week

Improper input validation in all versions of GitLab CE/EE using sendmail to send emails allowed an attacker to steal environment variables via specially crafted email addresses. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Gitlab Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2022-22332 HIGH PATCH This Week

IBM Sterling Partner Engagement Manager 6.2.0 could allow an attacker to impersonate another user due to missing revocation mechanism for the JWT token. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Information Disclosure Partner Engagement Manager
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2022-22327 HIGH This Week

IBM UrbanCode Deploy (UCD) 7.0.5, 7.1.0, 7.1.1, and 7.1.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM Information Disclosure Urbancode Deploy
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2022-1159 HIGH This Week

Rockwell Automation Studio 5000 Logix Designer (all versions) are vulnerable when an attacker who achieves administrator access on a workstation running Studio 5000 Logix Designer could inject. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Rockwell RCE Code Injection Controllogix 5580 Firmware Guardlogix 5580 Firmware +3
NVD
CVSS 3.1
7.2
EPSS
3.4%
CVE-2022-23155 HIGH PATCH This Week

Dell Wyse Management Suite versions 2.0 through 3.5.2 contain an unrestricted file upload vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE Dell File Upload Wyse Management Suite
NVD
CVSS 3.1
7.2
EPSS
1.3%
CVE-2022-22331 HIGH PATCH This Week

IBM SterlingPartner Engagement Manager 6.2.0 could allow a remote authenticated attacker to obtain sensitive information or modify user details caused by an insecure direct object vulnerability. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass IBM Partner Engagement Manager
NVD
CVSS 3.1
7.1
EPSS
0.7%
CVE-2022-23156 MEDIUM This Month

Wyse Device Agent version 14.6.1.4 and below contain an Improper Authentication vulnerability. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Wyse Device Agent
NVD
CVSS 3.1
6.7
EPSS
0.2%
CVE-2022-22950 MEDIUM PATCH This Month

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Java Spring Framework
NVD
CVSS 3.1
6.5
EPSS
35.8%
CVE-2022-0922 MEDIUM This Month

The software does not perform any authentication for critical system functionality. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass E Alert Firmware
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2022-22404 MEDIUM PATCH This Month

IBM App Connect Enterprise Certified Container Dashboard UI (IBM App Connect Enterprise Certified Container 1.5, 2.0, 2.1, 3.0, and 3.1) may be vulnerable to denial of service due to excessive rate. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service IBM App Connect Enterprise Certified Container
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-22328 MEDIUM PATCH This Month

IBM SterlingPartner Engagement Manager 6.2.0 could allow a malicious user to elevate their privileges and perform unintended operations to another users data. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity.

IBM Information Disclosure Partner Engagement Manager
NVD
CVSS 3.1
6.2
EPSS
0.2%
CVE-2022-25160 MEDIUM This Month

Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Fx5Uc Firmware Fx5Uc 32Mr Ds Ts Firmware Fx5Uc 32Mt D Firmware Fx5Uc 32Mt Dss Firmware +12
NVD
CVSS 3.1
5.9
EPSS
1.1%
CVE-2022-1018 MEDIUM PATCH This Month

When opening a malicious solution file provided by an attacker, the application suffers from an XML external entity vulnerability due to an unsafe call within a dynamic link library file. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Connected Components Workbench Isagraf Safety Instrumented Systems Workstation
NVD
CVSS 3.1
5.5
EPSS
2.1%
CVE-2022-23158 MEDIUM This Month

Wyse Device Agent version 14.6.1.4 and below contain a sensitive data exposure vulnerability. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Wyse Device Agent
NVD
CVSS 3.1
4.4
EPSS
0.7%
CVE-2022-23157 MEDIUM This Month

Wyse Device Agent version 14.6.1.4 and below contain a sensitive data exposure vulnerability. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Wyse Device Agent
NVD
CVSS 3.1
4.4
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy