| CVE-2022-1096 | | 0.15 | — | 0.38 | KEV | Jul 22, 2022 | Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2022-26925 | | 0.15 | — | 0.37 | KEV | May 10, 2022 | Windows LSA Spoofing Vulnerability |
| CVE-2021-27860 | | 0.15 | — | 0.43 | KEV | Dec 8, 2021 | A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p92 and 10.2.2r44p1 allows a remote, unauthenticated attacker to upload a file to any location on the filesystem. The FatPipe advisory identifier for this vulnerability is FPSA006. |
| CVE-2021-42292 | | 0.15 | — | 0.35 | KEV | Nov 10, 2021 | Microsoft Excel Security Feature Bypass Vulnerability |
| CVE-2021-30633 | | 0.15 | — | 0.38 | KEV | Oct 8, 2021 | Use after free in Indexed DB API in Google Chrome prior to 93.0.4577.82 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. |
| CVE-2021-28550 | | 0.15 | — | 0.35 | KEV | Sep 2, 2021 | Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and 2017.011.30194 (and earlier) are affected by a Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
| CVE-2021-34486 | | 0.15 | — | 0.36 | KEV | Aug 12, 2021 | Windows Event Tracing Elevation of Privilege Vulnerability |
| CVE-2021-21166 | | 0.15 | — | 0.38 | KEV | Mar 9, 2021 | Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2020-28949 | | 0.15 | — | 0.93 | KEV | Nov 19, 2020 | Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. |
| CVE-2020-9934 | | 0.15 | — | 0.02 | KEV | Oct 16, 2020 | An issue existed in the handling of environment variables. This issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6. A local user may be able to view sensitive user information. |
| CVE-2020-11899 | | 0.15 | — | 0.33 | KEV | Jun 17, 2020 | The Treck TCP/IP stack before 6.0.1.66 has an IPv6 Out-of-bounds Read. |
| CVE-2020-0968 | | 0.15 | — | 0.44 | KEV | Apr 15, 2020 | A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0970. |
| CVE-2019-7286 | | 0.15 | — | 0.02 | KEV | Dec 18, 2019 | A memory corruption issue was addressed with improved input validation. This issue is fixed in iOS 12.1.4, macOS Mojave 10.14.3 Supplemental Update. An application may be able to gain elevated privileges. |
| CVE-2019-1297 | | 0.15 | — | 0.41 | KEV | Sep 11, 2019 | A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'. |
| CVE-2019-0344 | | 0.15 | — | 0.41 | KEV | Aug 14, 2019 | Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection. |
| CVE-2010-5330 | | 0.15 | — | 0.43 | KEV | Jun 11, 2019 | On certain Ubiquiti devices, Command Injection exists via a GET request to stainfo.cgi (aka Show AP info) because the ifname variable is not sanitized, as demonstrated by shell metacharacters. The fixed version is v4.0.1 for 802.11 ISP products, v5.3.5 for AirMax ISP products, and v5.4.5 for AirSync firmware. For example, Nanostation5 (Air OS) is affected. |
| CVE-2019-0903 | | 0.15 | — | 0.34 | KEV | May 16, 2019 | A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory, aka 'GDI+ Remote Code Execution Vulnerability'. |
| CVE-2019-0863 | | 0.15 | — | 0.06 | KEV | May 16, 2019 | An elevation of privilege vulnerability exists in the way Windows Error Reporting (WER) handles files, aka 'Windows Error Reporting Elevation of Privilege Vulnerability'. |
| CVE-2018-8653 | | 0.15 | — | 0.36 | KEV | Dec 20, 2018 | A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10. This CVE ID is unique from CVE-2018-8643. |
| CVE-2018-15133 | | 0.15 | — | 0.84 | KEV | Aug 9, 2018 | In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack. |
| CVE-2018-8298 | | 0.15 | — | 0.89 | KEV | Jul 11, 2018 | A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore. This CVE ID is unique from CVE-2018-8242, CVE-2018-8283, CVE-2018-8287, CVE-2018-8288, CVE-2018-8291, CVE-2018-8296. |
| CVE-2026-22769 | | 0.14 | — | 0.22 | KEV | Feb 17, 2026 | Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence. Dell recommends that customers upgrade or apply one of the remediations as soon as possible. |
| CVE-2026-21513 | | 0.14 | — | 0.31 | KEV | Feb 10, 2026 | Protection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network. |
| CVE-2026-21533 | | 0.14 | — | 0.20 | KEV | Feb 10, 2026 | Improper privilege management in Windows Remote Desktop allows an authorized attacker to elevate privileges locally. |
| CVE-2025-59374 | | 0.14 | — | 0.21 | KEV | Dec 17, 2025 | "UNSUPPORTED WHEN ASSIGNED" Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected. The Live Update client has already reached End-of-Support (EOS) in October 2021, and no currently supported devices or products are affected by this issue. |
| CVE-2025-20333 | | 0.14 | — | 0.31 | KEV | Sep 25, 2025 | A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code on an affected device.
This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker with valid VPN user credentials could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of the affected device. |
| CVE-2025-26399 | | 0.14 | — | 0.28 | KEV | Sep 23, 2025 | SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986. |
| CVE-2025-9377 | | 0.14 | — | 0.31 | KEV | Aug 29, 2025 | The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9.
This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108.
Both products have reached the status of EOL (end-of-life).
It's recommending to
purchase the new
product to ensure better performance and security. If replacement is not
an option in the short term, please use the second reference link to
download and install the patch(es). |
| CVE-2025-54253 | | 0.14 | — | 0.20 | KEV | Aug 5, 2025 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed. |
| CVE-2025-47813 | | 0.14 | — | 0.27 | KEV | Jul 10, 2025 | loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie. |
| CVE-2025-27915 | | 0.14 | — | 0.26 | KEV | Mar 12, 2025 | An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a <details> tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration. |
| CVE-2024-12686 | | 0.14 | — | 0.30 | KEV | Dec 18, 2024 | A vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) which can allow an attacker with existing administrative privileges to inject commands and run as a site user. |
| CVE-2024-38813 | | 0.14 | — | 0.30 | KEV | Sep 17, 2024 | The vCenter Server contains a privilege escalation vulnerability. A malicious actor with network access to vCenter Server may trigger this vulnerability to escalate privileges to root by sending a specially crafted network packet. |
| CVE-2024-7965 | | 0.14 | — | 0.24 | KEV | Aug 21, 2024 | Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
| CVE-2024-38178 | | 0.14 | — | 0.30 | KEV | Aug 13, 2024 | Scripting Engine Memory Corruption Vulnerability |
| CVE-2024-41710 | | 0.14 | — | 0.20 | KEV | Aug 12, 2024 | A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, through R6.4.0.HF1 (R6.4.0.136) could allow an authenticated attacker with administrative privilege to conduct an argument injection attack, due to insufficient parameter sanitization during the boot process. A successful exploit could allow an attacker to execute arbitrary commands within the context of the system. |
| CVE-2024-30040 | | 0.14 | — | 0.23 | KEV | May 14, 2024 | Windows MSHTML Platform Security Feature Bypass Vulnerability |
| CVE-2024-20353 | | 0.14 | — | 0.20 | KEV | Apr 24, 2024 | A vulnerability in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition.
This vulnerability is due to incomplete error checking when parsing an HTTP header. An attacker could exploit this vulnerability by sending a crafted HTTP request to a targeted web server on a device. A successful exploit could allow the attacker to cause a DoS condition when the device reloads. |
| CVE-2023-49897 | | 0.14 | — | 0.24 | KEV | Dec 6, 2023 | An OS command injection vulnerability exists in AE1021PE firmware version 2.0.9 and earlier and AE1021 firmware version 2.0.9 and earlier. If this vulnerability is exploited, an arbitrary OS command may be executed by an attacker who can log in to the product. |
| CVE-2023-44221 | | 0.14 | — | 0.23 | KEV | Dec 5, 2023 | Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user, potentially leading to OS Command Injection Vulnerability. |
| CVE-2023-45727 | | 0.14 | — | 0.21 | KEV | Oct 18, 2023 | Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08 and earlier allow a remote unauthenticated attacker to conduct XML External Entity (XXE) attacks. By processing a specially crafted request containing malformed XML data, arbitrary files on the server containing account information may be read by the attacker. |
| CVE-2023-41993 | | 0.14 | — | 0.24 | KEV | Sep 21, 2023 | The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7. |
| CVE-2023-29360 | | 0.14 | — | 0.30 | KEV | Jun 13, 2023 | Microsoft Streaming Service Elevation of Privilege Vulnerability |
| CVE-2023-2033 | | 0.14 | — | 0.23 | KEV | Apr 14, 2023 | Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
| CVE-2023-28206 | | 0.14 | — | 0.24 | KEV | Apr 10, 2023 | An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in macOS Monterey 12.6.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1, iOS 15.7.5 and iPadOS 15.7.5, macOS Big Sur 11.7.6. An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited. |
| CVE-2022-42948 | | 0.14 | — | 0.22 | KEV | Mar 24, 2023 | Cobalt Strike 4.7.1 fails to properly escape HTML tags when they are displayed on Swing components. By injecting crafted HTML code, it is possible to remotely execute code in the Cobalt Strike UI. |
| CVE-2022-27518 | | 0.14 | — | 0.28 | KEV | Dec 13, 2022 | Unauthenticated remote arbitrary code execution |
| CVE-2022-38181 | | 0.14 | — | 0.25 | KEV | Oct 25, 2022 | The Arm Mali GPU kernel driver allows unprivileged users to access freed memory because GPU memory operations are mishandled. This affects Bifrost r0p0 through r38p1, and r39p0; Valhall r19p0 through r38p1, and r39p0; and Midgard r4p0 through r32p0. |
| CVE-2022-39197 | | 0.14 | — | 0.20 | KEV | Sep 22, 2022 | An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7 that allowed a remote attacker to execute HTML on the Cobalt Strike teamserver. To exploit the vulnerability, one must first inspect a Cobalt Strike payload, and then modify the username field in the payload (or create a new payload with the extracted information and then modify that username field to be malformed). |
| CVE-2022-26871 | | 0.14 | — | 0.19 | KEV | Mar 29, 2022 | An arbitrary file upload vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to upload an arbitrary file which could lead to remote code execution. |
