2023 Security Vulnerability Report
CVE Statistics for 2023
There were 29772 security vulnerabilities (CVEs) published in 2023. In 2022 there were 25237.
The average severity was 7.1 out of 10, which decreased by 0.1 from 2022.
The average severity was 7.1 out of 10, which decreased by 0.1 from 2022.
Products & Vendors with the most security vulnerabilities published in 2023 Vulnerabilities may exist in multiple products or vendors
By Product
By Vendor
By Weakness
#1
XSS
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
4956
#2
SQL Injection
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
2019
#3
Memory Corruption
The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.
1748
#4
Session Riding
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.
1239
#5
Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. A crash can occur when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string. The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results.
860
#6
AuthZ
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
784
#7
Directory traversal
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
730
#8
Dangling pointer
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
519
#9
Unrestricted File Upload
The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
508
#10
Shell injection
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
504
#11
Classic Buffer Overflow
The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold, or when a program attempts to put data in a memory area outside of the boundaries of a buffer. The simplest type of error, and the most common cause of buffer overflows, is the "classic" case in which the program copies the buffer without restricting how much is copied. Other variants exist, but the existence of a classic overflow strongly suggests that the programmer is not considering even the most basic of security protections.
503
#12
Command Injection
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
452
#13
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
412
#14
authentification
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
326
#15
AuthZ
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
305
#16
Code Injection
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
272
#17
Marshaling, Unmarshaling
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
247
#18
NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions.
235
#19
Resource Exhaustion
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
227
#20
SSRF
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts in internal networks, use other URLs such as that can access documents on the system (using file://), or use other protocols such as gopher:// or tftp://, which may provide greater control over the contents of requests.
211
#21
Integer Overflow or Wraparound
The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. An integer overflow or wraparound occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may wrap to become a very small or negative number. While this may be intended behavior in circumstances that rely on wrapping, it can have security consequences if the wrap is unexpected. This is especially the case if the integer overflow can be triggered using user-supplied inputs. This becomes security-critical when the result is used to control looping, make a security decision, or determine the offset or size in behaviors such as memory allocation, copying, concatenation, etc.
205
#22
Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
198
#23
Open Redirect
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.
176
#24
Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
175
#25
Use of Hard-coded Credentials
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
169
2023 Known Exploited Vulnerabilities
These vulnerabilities may be considered some of the most dangerous vulnerabilities of 2023, because they are both known to have been exploited and have a high severity score. In fact 4 vulnerabilities scored the highest possible CVSS base score, of 10.
10.0
WS_FTP Server <8.7.4/8.8.2 .NET Deserialization Enables Remote Cmd Exec
CVE-2023-40044 vulnerability in WS_FTP Server, disclosed on September 27, 2023
CVE-2023-40044 vulnerability in WS_FTP Server, disclosed on September 27, 2023
10.0
Apache ActiveMQ RCE via OpenWire Marshaller (before 5.18.3)
CVE-2023-46604 vulnerability in ActiveMQ, disclosed on October 27, 2023
CVE-2023-46604 vulnerability in ActiveMQ, disclosed on October 27, 2023
10.0
ownCloud GraphAPI 0.2.x/0.3.x PHPinfo Disclosure
CVE-2023-49103 vulnerability in ownCloud graphapi, disclosed on November 21, 2023
CVE-2023-49103 vulnerability in ownCloud graphapi, disclosed on November 21, 2023
10.0
Cisco IOS XE WebUI Local User Creation & Privilege Escalation CVE-2023-20198
CVE-2023-20198 vulnerability in IOS XE Web UI, disclosed on October 16, 2023
CVE-2023-20198 vulnerability in IOS XE Web UI, disclosed on October 16, 2023
9.8
CWP before 0.9.8.1147 RCE via login param shell metacharacters
CVE-2022-44877 vulnerability in Control Web Panel, disclosed on January 5, 2023
CVE-2022-44877 vulnerability in Control Web Panel, disclosed on January 5, 2023
9.8
BIG-IP config util auth bypass allows RCE via mgmt port
CVE-2023-46747 vulnerability in BIG-IP Configuration Utility, disclosed on October 26, 2023
CVE-2023-46747 vulnerability in BIG-IP Configuration Utility, disclosed on October 26, 2023
9.8
Ivanti MobileIron Sentry 9.18.0 Auth Bypass via Apache HTTPD Config
CVE-2023-38035 vulnerability in Sentry, disclosed on August 21, 2023
CVE-2023-38035 vulnerability in Sentry, disclosed on August 21, 2023
9.8
NextGen Healthcare Mirth Connect: Unauth RCE via CVE-2023-43208 (v<4.4.1)
CVE-2023-43208 vulnerability in Mirth Connect, disclosed on October 26, 2023
CVE-2023-43208 vulnerability in Mirth Connect, disclosed on October 26, 2023
9.8
TerraMaster NAS <=4.2.29 Remote Admin Password Disclosure via API
CVE-2022-24990 vulnerability in TerraMaster OS, disclosed on February 7, 2023
CVE-2022-24990 vulnerability in TerraMaster OS, disclosed on February 7, 2023
9.8
ShareFile Storage Zones RCE via Unauthenticated Remote Access
CVE-2023-24489 vulnerability in Content Collaboration, disclosed on July 10, 2023
CVE-2023-24489 vulnerability in Content Collaboration, disclosed on July 10, 2023
9.8
Remote Command Execution in RocketMQ 5.1.0 via Unauthenticated UpdateConfig
CVE-2023-33246 vulnerability in RocketMQ, disclosed on May 24, 2023
CVE-2023-33246 vulnerability in RocketMQ, disclosed on May 24, 2023
9.8
RCE via XMLSec XSLT in Zoho ManageEngine (various onprem)
CVE-2022-47966 vulnerability in ManageEngine, disclosed on January 18, 2023
CVE-2022-47966 vulnerability in ManageEngine, disclosed on January 18, 2023
9.8
Jun 2023: Microsoft SharePoint Server Elevation of Privilege Vulnerability
CVE-2023-29357 vulnerability in SharePoint Server, disclosed on June 14, 2023
CVE-2023-29357 vulnerability in SharePoint Server, disclosed on June 14, 2023
9.8
PHP External Variable Modification in Junos OS J-Web (pre-21.2R3-S7)
CVE-2023-36845 vulnerability in Junos OS, disclosed on August 17, 2023
CVE-2023-36845 vulnerability in Junos OS, disclosed on August 17, 2023
9.8
Zyxel ZyWALL/USG 4.605.35 Error Msg Disclosure Enables Remote OS Cmd
CVE-2023-28771 vulnerability in Multiple Firewalls, disclosed on April 25, 2023
CVE-2023-28771 vulnerability in Multiple Firewalls, disclosed on April 25, 2023
9.8
IBM Aspera Faspex <4.4.2 PL2 YAML Deserialization RCE
CVE-2022-47986 vulnerability in Aspera Faspex, disclosed on February 17, 2023
CVE-2022-47986 vulnerability in Aspera Faspex, disclosed on February 17, 2023
9.8
SysAid On-Premise <=23.3.35 Path Traversal to Code Exec (Tomcat Webroot)
CVE-2023-47246 vulnerability in SysAid Server, disclosed on November 10, 2023
CVE-2023-47246 vulnerability in SysAid Server, disclosed on November 10, 2023
9.8
Pre-auth Cmd Injection in Sophos Web Appliance <4.3.10.4 warn-proceed
CVE-2023-1671 vulnerability in Web Appliance, disclosed on April 4, 2023
CVE-2023-1671 vulnerability in Web Appliance, disclosed on April 4, 2023
9.8
Remote Command Injection CVE-2023-20887 in VMware Aria Ops
CVE-2023-20887 vulnerability in Aria Operations for Networks, disclosed on June 7, 2023
CVE-2023-20887 vulnerability in Aria Operations for Networks, disclosed on June 7, 2023
9.8
Unauth SQLi in MOVEit Transfer Web App (15.0.1)
CVE-2023-34362 vulnerability in MOVEit Transfer, disclosed on June 2, 2023
CVE-2023-34362 vulnerability in MOVEit Transfer, disclosed on June 2, 2023
9.8
Adobe ColdFusion Arbitrary Code Execution via Deserialization of Untrusted Data
CVE-2023-38203 vulnerability in ColdFusion, disclosed on July 20, 2023
CVE-2023-38203 vulnerability in ColdFusion, disclosed on July 20, 2023
9.8
Ruckus Wireless Admin 10.4 RCE via Unauth HTTP GET
CVE-2023-25717 vulnerability in Multiple Products, disclosed on February 13, 2023
CVE-2023-25717 vulnerability in Multiple Products, disclosed on February 13, 2023
9.8
CVE-2023-3519: Unauth RCE in Unknown Product
CVE-2023-3519 vulnerability in NetScaler ADC and NetScaler Gateway, disclosed on July 19, 2023
CVE-2023-3519 vulnerability in NetScaler ADC and NetScaler Gateway, disclosed on July 19, 2023
9.8
Adobe ColdFusion Deserialization CVE-2023-29300 RCE
CVE-2023-29300 vulnerability in ColdFusion, disclosed on July 12, 2023
CVE-2023-29300 vulnerability in ColdFusion, disclosed on July 12, 2023
9.8
Mar 2023: Microsoft Outlook Elevation of Privilege Vulnerability
CVE-2023-23397 vulnerability in Office, disclosed on March 14, 2023
CVE-2023-23397 vulnerability in Office, disclosed on March 14, 2023
9.8
VMware vCenter Server OOB Write in DCERPC Enables RCE
CVE-2023-34048 vulnerability in vCenter Server, disclosed on October 25, 2023
CVE-2023-34048 vulnerability in vCenter Server, disclosed on October 25, 2023
9.8
OS CMD Injection in D-Link DIR820LA1_FW105B03 ping.ccp (CVE-2023-25280)
CVE-2023-25280 vulnerability in DIR-820 Router, disclosed on March 16, 2023
CVE-2023-25280 vulnerability in DIR-820 Router, disclosed on March 16, 2023
9.8
TeamCity Server Auth Bypass -> RCE before 2023.05.4
CVE-2023-42793 vulnerability in TeamCity, disclosed on September 19, 2023
CVE-2023-42793 vulnerability in TeamCity, disclosed on September 19, 2023
9.8
Remote Code Execution via Flags Header Array AG Series 9.4.0.481
CVE-2023-28461 vulnerability in AG/vxAG ArrayOS, disclosed on March 15, 2023
CVE-2023-28461 vulnerability in AG/vxAG ArrayOS, disclosed on March 15, 2023
9.8
Pre-auth Command Injection in Zyxel NAS (< V5.21) via HTTP
CVE-2023-27992 vulnerability in Multiple Network-Attached Storage (NAS) Devices, disclosed on June 19, 2023
CVE-2023-27992 vulnerability in Multiple Network-Attached Storage (NAS) Devices, disclosed on June 19, 2023
9.8
Adobe ColdFusion Deserialization Vulnerability: Arbitrary Code Exec 2018/2021
CVE-2023-26359 vulnerability in ColdFusion, disclosed on March 23, 2023
CVE-2023-26359 vulnerability in ColdFusion, disclosed on March 23, 2023
9.8
Cobalt Strike 4.7.1 Swing RCE via Unescaped HTML
CVE-2022-42948 vulnerability in Cobalt Strike, disclosed on March 24, 2023
CVE-2022-42948 vulnerability in Cobalt Strike, disclosed on March 24, 2023
9.8
Novi Survey <8.9.43676 Remote Code Execution via Service Account
CVE-2023-29492 vulnerability in Novi Survey, disclosed on April 11, 2023
CVE-2023-29492 vulnerability in Novi Survey, disclosed on April 11, 2023
9.8
Unitronics VisiLogic <9.9.00 Default Admin Pass Vulnerability
CVE-2023-6448 vulnerability in Vision PLC and HMI, disclosed on December 5, 2023
CVE-2023-6448 vulnerability in Vision PLC and HMI, disclosed on December 5, 2023
9.8
Zyxel ATP/USG Buffer Overflow (4.605.36 Patch1) DoS/RCE
CVE-2023-33009 vulnerability in Multiple Firewalls, disclosed on May 24, 2023
CVE-2023-33009 vulnerability in Multiple Firewalls, disclosed on May 24, 2023
9.8
Zyxel ATP/USG/VPN Firmware ID BOF 4.325.36 Patch 1
CVE-2023-33010 vulnerability in Multiple Firewalls, disclosed on May 24, 2023
CVE-2023-33010 vulnerability in Multiple Firewalls, disclosed on May 24, 2023
9.6
HTTP Request Tunneling in Qlik Sense Enterprise for Windows
CVE-2023-41265 vulnerability in Sense, disclosed on August 29, 2023
CVE-2023-41265 vulnerability in Sense, disclosed on August 29, 2023
9.6
Qlik Sense Ent. (Win) RCE via HTTP Header Validation (unauthentic)
CVE-2023-48365 vulnerability in Sense, disclosed on November 15, 2023
CVE-2023-48365 vulnerability in Sense, disclosed on November 15, 2023
9.6
CVE-2023-6345: Chrome <119 Sandbox Escape via Skia Integer Overflow
CVE-2023-6345 vulnerability in Skia, disclosed on November 29, 2023
CVE-2023-6345 vulnerability in Skia, disclosed on November 29, 2023
9.6
Chrome <112: Skia Int Ovf Allows Sandbox Escape via HTML
CVE-2023-2136 vulnerability in Chrome, disclosed on April 19, 2023
CVE-2023-2136 vulnerability in Chrome, disclosed on April 19, 2023
9.4
Citrix NetScaler ADC/Gateway Sensitive Info Disclosure
CVE-2023-4966 vulnerability in NetScaler ADC and NetScaler Gateway, disclosed on October 10, 2023
CVE-2023-4966 vulnerability in NetScaler ADC and NetScaler Gateway, disclosed on October 10, 2023
9.4
Remote CMD Injection in Barracuda Email SG 5.1.3.001-9.2.0.006
CVE-2023-2868 vulnerability in Email Security Gateway (ESG) Appliance, disclosed on May 24, 2023
CVE-2023-2868 vulnerability in Email Security Gateway (ESG) Appliance, disclosed on May 24, 2023
9.3
Heap Overflow in FortiOS/Pro SSL-VPN 6.07.2 (CVE-2022-42475)
CVE-2022-42475 vulnerability in FortiOS, disclosed on January 2, 2023
CVE-2022-42475 vulnerability in FortiOS, disclosed on January 2, 2023
9.2
FortiOS/Proxy SSL-VPN Heap Buffer Overflow RCE (7.2.4)
CVE-2023-27997 vulnerability in FortiOS and FortiProxy SSL-VPN, disclosed on June 13, 2023
CVE-2023-27997 vulnerability in FortiOS and FortiProxy SSL-VPN, disclosed on June 13, 2023
9.0
XSS in Zimbra ZCS 8.8.15 /h/autoSaveDraft Allows Remote Auth'd Attacker
CVE-2023-34192 vulnerability in Zimbra Collaboration Suite (ZCS), disclosed on July 6, 2023
CVE-2023-34192 vulnerability in Zimbra Collaboration Suite (ZCS), disclosed on July 6, 2023
8.9
Apache Superset <=2.0.1 Session Validation Vulnerability via Default SECRET_KEY
CVE-2023-27524 vulnerability in Superset, disclosed on April 24, 2023
CVE-2023-27524 vulnerability in Superset, disclosed on April 24, 2023
8.8
Heap Buffer Overflow in libwebp (Chrome <116.0.5845.187 / libwebp 1.3.2)
CVE-2023-4863 vulnerability in Chromium, disclosed on September 12, 2023
CVE-2023-4863 vulnerability in Chromium, disclosed on September 12, 2023
8.8
Pentaho BA Server <9.4.0.1: Web Service Template Injection via Spring
CVE-2022-43769 vulnerability in Pentaho Business Analytics (BA) Server, disclosed on April 3, 2023
CVE-2022-43769 vulnerability in Pentaho Business Analytics (BA) Server, disclosed on April 3, 2023
8.8
Command Injection in TP-Link Archer AX21 /cgi-bin/luci locale (pre-1.1.4)
CVE-2023-1389 vulnerability in Archer AX21, disclosed on March 15, 2023
CVE-2023-1389 vulnerability in Archer AX21, disclosed on March 15, 2023
8.8
SugarCRM <12.0 PHP Code Injection via EmailTemplates
CVE-2023-22952 vulnerability in Multiple Products, disclosed on January 11, 2023
CVE-2023-22952 vulnerability in Multiple Products, disclosed on January 11, 2023
8.8
TP-Link Router Cmd Injection via /userRpm/WlanNetworkRpm
CVE-2023-33538 vulnerability in Multiple Routers, disclosed on June 7, 2023
CVE-2023-33538 vulnerability in Multiple Routers, disclosed on June 7, 2023
8.8
Nov 2023: Windows SmartScreen Security Feature Bypass Vulnerability
CVE-2023-36025 vulnerability in Windows, disclosed on November 14, 2023
CVE-2023-36025 vulnerability in Windows, disclosed on November 14, 2023
8.8
Chrome V8 Type Confusion RCE (CVE-2023-4762) Fixed 116.0.5845.179
CVE-2023-4762 vulnerability in Chromium V8 Engine, disclosed on September 5, 2023
CVE-2023-4762 vulnerability in Chromium V8 Engine, disclosed on September 5, 2023
8.8
MinIO Metadata Insertion via PostPolicyBucket CVE-2023-28434
CVE-2023-28434 vulnerability in MinIO, disclosed on March 22, 2023
CVE-2023-28434 vulnerability in MinIO, disclosed on March 22, 2023
8.8
OS Command Injection in ASUS RT-AX55 3.0.0.4.386.51598 QoS BW Rulelist (CVE-2023-39780)
CVE-2023-39780 vulnerability in RT-AX55 Routers, disclosed on September 11, 2023
CVE-2023-39780 vulnerability in RT-AX55 Routers, disclosed on September 11, 2023
8.8
macOS Sonoma 14 Fixed Web Content Arbitrary Code Exec (CVE-2023-41993)
CVE-2023-41993 vulnerability in Multiple Products, disclosed on September 21, 2023
CVE-2023-41993 vulnerability in Multiple Products, disclosed on September 21, 2023
8.8
AE1021 Firmware <=2.0.9 OS Command Injection
CVE-2023-49897 vulnerability in AE1021, AE1021PE, disclosed on December 6, 2023
CVE-2023-49897 vulnerability in AE1021, AE1021PE, disclosed on December 6, 2023
8.8
Google Chrome V8 Type Confusion (prior 112.0.5615.121) Heap Corruption
CVE-2023-2033 vulnerability in Chromium V8 Engine, disclosed on April 14, 2023
CVE-2023-2033 vulnerability in Chromium V8 Engine, disclosed on April 14, 2023
8.8
Jan 2023: Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability
CVE-2023-21674 vulnerability in Windows, disclosed on January 10, 2023
CVE-2023-21674 vulnerability in Windows, disclosed on January 10, 2023
8.8
Jul 2023: Windows SmartScreen Security Feature Bypass Vulnerability
CVE-2023-32049 vulnerability in Windows Defender SmartScreen, disclosed on July 11, 2023
CVE-2023-32049 vulnerability in Windows Defender SmartScreen, disclosed on July 11, 2023
8.8
Highseverity heap buffer overflow in Chrome libvpx <117.0.5938.132
CVE-2023-5217 vulnerability in Chrome libvpx, disclosed on September 28, 2023
CVE-2023-5217 vulnerability in Chrome libvpx, disclosed on September 28, 2023
8.8
BIG-IP Config Utility Authenticated SQLi leads to System Cmd Exec
CVE-2023-46748 vulnerability in BIG-IP Configuration Utility, disclosed on October 26, 2023
CVE-2023-46748 vulnerability in BIG-IP Configuration Utility, disclosed on October 26, 2023
8.8
WebKit Arbitrary Code Execution via Malicious Content
CVE-2019-8720 vulnerability in WebKitGTK, disclosed on March 6, 2023
CVE-2019-8720 vulnerability in WebKitGTK, disclosed on March 6, 2023
8.8
Google Chrome WebRTC Heap Overflow before 120.0.6099.129
CVE-2023-7024 vulnerability in WebRTC, disclosed on December 21, 2023
CVE-2023-7024 vulnerability in WebRTC, disclosed on December 21, 2023
8.8
V8 Type Confusion Heap Corruption in Chrome <114
CVE-2023-3079 vulnerability in Chromium V8 Engine, disclosed on June 5, 2023
CVE-2023-3079 vulnerability in Chromium V8 Engine, disclosed on June 5, 2023
8.8
Safari Type Confusion CVE-2023-32439 fixed in iOS 16.5.1 & macOS 13.4.1
CVE-2023-32439 vulnerability in Multiple Products, disclosed on June 23, 2023
CVE-2023-32439 vulnerability in Multiple Products, disclosed on June 23, 2023
8.8
Apple macOS Ventura 13.3 Memory Corruption Gadget Arbitrary Code Exec
CVE-2023-32435 vulnerability in iOS and macOS, disclosed on June 23, 2023
CVE-2023-32435 vulnerability in iOS and macOS, disclosed on June 23, 2023
8.8
Arbitrary Exec in Safari before 15.6 via bounds check flaw on macOS/iOS
CVE-2022-48503 vulnerability in Multiple Products, disclosed on August 14, 2023
CVE-2022-48503 vulnerability in Multiple Products, disclosed on August 14, 2023
8.8
Safari 16.4.1 UAOF Arbitrary Code Execution
CVE-2023-28205 vulnerability in Multiple Products, disclosed on April 10, 2023
CVE-2023-28205 vulnerability in Multiple Products, disclosed on April 10, 2023
8.8
Android OS WindowState Bug Enables Background Activity for Local Priv Escalation
CVE-2023-35674 vulnerability in Framework, disclosed on September 11, 2023
CVE-2023-35674 vulnerability in Framework, disclosed on September 11, 2023
8.8
Code Exec via WebKit Mem Corrupt before iOS 16.7.1, fixed Safari 17.1.2
CVE-2023-42917 vulnerability in Multiple Products, disclosed on November 30, 2023
CVE-2023-42917 vulnerability in Multiple Products, disclosed on November 30, 2023
8.8
Safari Type Confusion Arbitrary Code Exec (iOS 15.7.4/16.3.1, macOS 13.2.1)
CVE-2023-23529 vulnerability in Multiple Products, disclosed on February 27, 2023
CVE-2023-23529 vulnerability in Multiple Products, disclosed on February 27, 2023
8.8
Apple Safari & OS Web Content Arbitrary Code Exec: fixed in v16.6 / 16.5.2
CVE-2023-37450 vulnerability in Multiple Products, disclosed on July 27, 2023
CVE-2023-37450 vulnerability in Multiple Products, disclosed on July 27, 2023
8.8
Apple Safari UAF leads to arbitrary code exec (before 16.5)
CVE-2023-32373 vulnerability in Multiple Products, disclosed on June 23, 2023
CVE-2023-32373 vulnerability in Multiple Products, disclosed on June 23, 2023
8.6
Openfire XMPP Server Path Traversal in Admin Console (3.10.0+) Fix 4.7.5/4.6.8
CVE-2023-32315 vulnerability in Openfire, disclosed on May 26, 2023
CVE-2023-32315 vulnerability in Openfire, disclosed on May 26, 2023
8.6
Adobe ColdFusion RCE via Improper Access Control (CVE-2023-26360)
CVE-2023-26360 vulnerability in ColdFusion, disclosed on March 23, 2023
CVE-2023-26360 vulnerability in ColdFusion, disclosed on March 23, 2023
8.6
Pentaho Business Analytics Server <9.4.0.1 URL canonicalization bypass
CVE-2022-43939 vulnerability in Pentaho Business Analytics (BA) Server, disclosed on April 3, 2023
CVE-2022-43939 vulnerability in Pentaho Business Analytics (BA) Server, disclosed on April 3, 2023
8.6
Apple OS Kernel OOB Write (CVE-2023-28206) Fixed in macOS 12.6.5, iOS 16.4.1
CVE-2023-28206 vulnerability in iOS, iPadOS, and macOS, disclosed on April 10, 2023
CVE-2023-28206 vulnerability in iOS, iPadOS, and macOS, disclosed on April 10, 2023
8.6
Apple Safari WebContent Sandbox Escalation CVE-2023-32409 (16.5)
CVE-2023-32409 vulnerability in Multiple Products, disclosed on June 23, 2023
CVE-2023-32409 vulnerability in Multiple Products, disclosed on June 23, 2023
8.4
PaperCut NG/MF CSRF Enables Admin Arbitrary Code Exec
CVE-2023-2533 vulnerability in NG/MF, disclosed on June 20, 2023
CVE-2023-2533 vulnerability in NG/MF, disclosed on June 20, 2023
8.4
Jun 2023: Microsoft Streaming Service Elevation of Privilege Vulnerability
CVE-2023-29360 vulnerability in Streaming Service, disclosed on June 14, 2023
CVE-2023-29360 vulnerability in Streaming Service, disclosed on June 14, 2023
8.4
CVE-2023-33107: Memory Corruption in Linux Graphics via IOCTL SVM Allocation
CVE-2023-33107 vulnerability in Multiple Chipsets, disclosed on December 5, 2023
CVE-2023-33107 vulnerability in Multiple Chipsets, disclosed on December 5, 2023
8.4
Mem Corruption via Large Sync Points in KGSL_GPU_AUX IOCTL
CVE-2023-33106 vulnerability in Multiple Chipsets, disclosed on December 5, 2023
CVE-2023-33106 vulnerability in Multiple Chipsets, disclosed on December 5, 2023
8.2
Qlik Sense Enterprise Path Traversal, Authless Session (CVE-2023-41266)
CVE-2023-41266 vulnerability in Sense, disclosed on August 29, 2023
CVE-2023-41266 vulnerability in Sense, disclosed on August 29, 2023
8.0
OS Command Injection in QNAP VioStor NVR QVR Firmware 4.x (Fixed 5.0.0)
CVE-2023-47565 vulnerability in VioStor NVR, disclosed on December 8, 2023
CVE-2023-47565 vulnerability in VioStor NVR, disclosed on December 8, 2023
7.9
UAF in ALSA PCM (SNDRV_CTL_IOCTL_ELEM) allows root escalation
CVE-2023-0266 vulnerability in Kernel, disclosed on January 30, 2023
CVE-2023-0266 vulnerability in Kernel, disclosed on January 30, 2023
7.8
WinRAR <6.23 RCE via ZIP Filename Collision
CVE-2023-38831 vulnerability in WinRAR, disclosed on August 23, 2023
CVE-2023-38831 vulnerability in WinRAR, disclosed on August 23, 2023
7.8
Apple CoreImage Buffer Overflow (CVE-2023-41064) - Before 16.6.1 / 13.5.2
CVE-2023-41064 vulnerability in iOS, iPadOS, and macOS, disclosed on September 7, 2023
CVE-2023-41064 vulnerability in iOS, iPadOS, and macOS, disclosed on September 7, 2023
7.8
Use-After-Free in Adobe Acrobat Reader <22.003.20282 allows remote code exec
CVE-2023-21608 vulnerability in Acrobat and Reader, disclosed on January 18, 2023
CVE-2023-21608 vulnerability in Acrobat and Reader, disclosed on January 18, 2023
7.8
Spreadsheet::ParseExcel 0.65 ACE via eval of number format strings
CVE-2023-7101 vulnerability in Spreadsheet::ParseExcel, disclosed on December 24, 2023
CVE-2023-7101 vulnerability in Spreadsheet::ParseExcel, disclosed on December 24, 2023
7.8
May 2023: Win32k Elevation of Privilege Vulnerability
CVE-2023-29336 vulnerability in Win32k, disclosed on May 9, 2023
CVE-2023-29336 vulnerability in Win32k, disclosed on May 9, 2023
7.8
Sep 2023: Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability
CVE-2023-36802 vulnerability in Streaming Service Proxy, disclosed on September 12, 2023
CVE-2023-36802 vulnerability in Streaming Service Proxy, disclosed on September 12, 2023
7.8
Jul 2023: Windows Error Reporting Service Elevation of Privilege Vulnerability
CVE-2023-36874 vulnerability in Windows Error Reporting Service, disclosed on July 11, 2023
CVE-2023-36874 vulnerability in Windows Error Reporting Service, disclosed on July 11, 2023
7.8
Apple macOS Kernel Integer Overflow Arbitrary Exec < 11.7.8/12.6.7/13.4.1
CVE-2023-32434 vulnerability in Multiple Products, disclosed on June 23, 2023
CVE-2023-32434 vulnerability in Multiple Products, disclosed on June 23, 2023
7.8
Apr 2023: Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2023-28252 vulnerability in Windows, disclosed on April 11, 2023
CVE-2023-28252 vulnerability in Windows, disclosed on April 11, 2023
7.8
Buffer Overflow in glibc's ld.so via GLIBC_TUNABLES env var
CVE-2023-4911 vulnerability in GNU C Library, disclosed on October 3, 2023
CVE-2023-4911 vulnerability in GNU C Library, disclosed on October 3, 2023
7.8
Linux Kernel OverlayFS setuid Capability Escalation Vulnerability
CVE-2023-0386 vulnerability in Kernel, disclosed on March 22, 2023
CVE-2023-0386 vulnerability in Kernel, disclosed on March 22, 2023
7.8
Jul 2023: Windows MSHTML Platform Elevation of Privilege Vulnerability
CVE-2023-32046 vulnerability in Windows MSHTML Platform, disclosed on July 11, 2023
CVE-2023-32046 vulnerability in Windows MSHTML Platform, disclosed on July 11, 2023
7.8
Feb 2023: Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2023-23376 vulnerability in Windows, disclosed on February 14, 2023
CVE-2023-23376 vulnerability in Windows, disclosed on February 14, 2023
7.8
Feb 2023: Windows Graphics Component Remote Code Execution Vulnerability
CVE-2023-21823 vulnerability in Windows, disclosed on February 14, 2023
CVE-2023-21823 vulnerability in Windows, disclosed on February 14, 2023
Report Last Updated: March 31, 2026