2024 Security Vulnerability Report
CVE Statistics for 2024
There were 40304 security vulnerabilities (CVEs) published in 2024. In 2023 there were 29772.
The average severity was 7.0 out of 10, which decreased by 0.2 from 2023.
The average severity was 7.0 out of 10, which decreased by 0.2 from 2023.
Products & Vendors with the most security vulnerabilities published in 2024 Vulnerabilities may exist in multiple products or vendors
By Product
By Vendor
By Weakness
#1
XSS
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
6263
#2
SQL Injection
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
2116
#3
AuthZ
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
1699
#4
Memory Corruption
The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.
1587
#5
Session Riding
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.
1160
#6
Dangling pointer
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
818
#7
Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. A crash can occur when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string. The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results.
809
#8
Directory traversal
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
772
#9
NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions.
725
#10
Unrestricted File Upload
The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
577
#11
Shell injection
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
530
#12
Information Disclosure
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
413
#13
Marshaling, Unmarshaling
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
366
#14
Classic Buffer Overflow
The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold, or when a program attempts to put data in a memory area outside of the boundaries of a buffer. The simplest type of error, and the most common cause of buffer overflows, is the "classic" case in which the program copies the buffer without restricting how much is copied. Other variants exist, but the existence of a classic overflow strongly suggests that the programmer is not considering even the most basic of security protections.
337
#15
Code Injection
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
297
#16
Memory Leak
The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. This is often triggered by improper handling of malformed data or unexpectedly interrupted sessions. In some languages, developers are responsible for tracking memory allocation and releasing the memory. If there are no more pointers or references to the memory, then it can no longer be tracked and identified for release.
281
#17
Authorization
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
269
#18
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
268
#19
SSRF
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts in internal networks, use other URLs such as that can access documents on the system (using file://), or use other protocols such as gopher:// or tftp://, which may provide greater control over the contents of requests.
258
#20
Command Injection
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
250
#21
AuthZ
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
246
#22
Insecure Direct Object Reference / IDOR
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
234
#23
authentification
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
190
#24
Integer Overflow or Wraparound
The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. An integer overflow or wraparound occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may wrap to become a very small or negative number. While this may be intended behavior in circumstances that rely on wrapping, it can have security consequences if the wrap is unexpected. This is especially the case if the integer overflow can be triggered using user-supplied inputs. This becomes security-critical when the result is used to control looping, make a security decision, or determine the offset or size in behaviors such as memory allocation, copying, concatenation, etc.
189
#25
Heap-based Buffer Overflow
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
182
2024 Known Exploited Vulnerabilities
These vulnerabilities may be considered some of the most dangerous vulnerabilities of 2024, because they are both known to have been exploited and have a high severity score. In fact 7 vulnerabilities scored the highest possible CVSS base score, of 10.
10.0
ConnectWise ScreenConnect <23.9.7 Auth Bypass via Alternate Channel
CVE-2024-1709 vulnerability in ScreenConnect, disclosed on February 21, 2024
CVE-2024-1709 vulnerability in ScreenConnect, disclosed on February 21, 2024
10.0
CyberPanel 2.3.6-2.3.7 Auth Bypass & CMD Injection via UpgradeMySQLstatus
CVE-2024-51567 vulnerability in CyberPanel, disclosed on October 29, 2024
CVE-2024-51567 vulnerability in CyberPanel, disclosed on October 29, 2024
10.0
LoadMaster mgmt interface cmd injection: arbitrary system exec
CVE-2024-1212 vulnerability in Kemp LoadMaster, disclosed on February 21, 2024
CVE-2024-1212 vulnerability in Kemp LoadMaster, disclosed on February 21, 2024
10.0
Palo Alto PAN-OS GlobalProtect Privilege Escalation via Command Injection (CVE-2024-3400)
CVE-2024-3400 vulnerability in PAN-OS, disclosed on April 12, 2024
CVE-2024-3400 vulnerability in PAN-OS, disclosed on April 12, 2024
10.0
Zimbra PostJournal unauth exec before 10.1.1
CVE-2024-45519 vulnerability in Zimbra Collaboration, disclosed on October 2, 2024
CVE-2024-45519 vulnerability in Zimbra Collaboration, disclosed on October 2, 2024
10.0
CVE-2024-51378: Auth Bypass & RCE via /dns/getresetstatus in CyberPanel <=2.3.7
CVE-2024-51378 vulnerability in CyberPanel, disclosed on October 29, 2024
CVE-2024-51378 vulnerability in CyberPanel, disclosed on October 29, 2024
10.0
GitLab CE/EE Password Reset Emails to Unverified Addresses (16.7.1)
CVE-2023-7028 vulnerability in GitLab CE/EE, disclosed on January 12, 2024
CVE-2023-7028 vulnerability in GitLab CE/EE, disclosed on January 12, 2024
9.8
Unauth SQL Injection in WhatsUP Gold <2024.0.0 allows password theft
CVE-2024-6670 vulnerability in WhatsUp Gold, disclosed on August 29, 2024
CVE-2024-6670 vulnerability in WhatsUp Gold, disclosed on August 29, 2024
9.8
Jenkins CLI File Read via '@' Path Injection (v<2.441)
CVE-2024-23897 vulnerability in Jenkins Command Line Interface (CLI), disclosed on January 24, 2024
CVE-2024-23897 vulnerability in Jenkins Command Line Interface (CLI), disclosed on January 24, 2024
9.8
Ivanti vTM Auth Bypass Before 22.2R1 / 22.7R2
CVE-2024-7593 vulnerability in Virtual Traffic Manager, disclosed on August 13, 2024
CVE-2024-7593 vulnerability in Virtual Traffic Manager, disclosed on August 13, 2024
9.8
S2T: CrushFTP <10.7.1 & <11.1.0, Auth Bypass & RCE
CVE-2024-4040 vulnerability in CrushFTP, disclosed on April 22, 2024
CVE-2024-4040 vulnerability in CrushFTP, disclosed on April 22, 2024
9.8
GeoServer RCE via OGC Params before 2.25.2 (unsafely evaluated XPath)
CVE-2024-36401 vulnerability in GeoServer, disclosed on July 1, 2024
CVE-2024-36401 vulnerability in GeoServer, disclosed on July 1, 2024
9.8
PHP 8.1-8.3: Windows CGI Cmd Line Option Injection via Best-Fit CP
CVE-2024-4577 vulnerability in PHP, disclosed on June 9, 2024
CVE-2024-4577 vulnerability in PHP, disclosed on June 9, 2024
9.8
Auth Bypass in Telerik Report Server 10.0.24.305 on IIS
CVE-2024-4358 vulnerability in Telerik Report Server, disclosed on May 29, 2024
CVE-2024-4358 vulnerability in Telerik Report Server, disclosed on May 29, 2024
9.8
ServiceNow Now Platform RCE via Input Validation Flaw
CVE-2024-4879 vulnerability in Utah, Vancouver, and Washington DC Now, disclosed on July 10, 2024
CVE-2024-4879 vulnerability in Utah, Vancouver, and Washington DC Now, disclosed on July 10, 2024
9.8
Apache HugeGraph-Server RCE prev1.3 via insecure endpoint
CVE-2024-27348 vulnerability in HugeGraph-Server, disclosed on April 22, 2024
CVE-2024-27348 vulnerability in HugeGraph-Server, disclosed on April 22, 2024
9.8
Remote Template Injection in Rejetto HFS 2.3m (Arbitrary CMD Exec)
CVE-2024-23692 vulnerability in HTTP File Server, disclosed on May 31, 2024
CVE-2024-23692 vulnerability in HTTP File Server, disclosed on May 31, 2024
9.8
WhatsUpGold <v2023.1.3 RCE via ExportUtilities::GetFileWithoutZip
CVE-2024-4885 vulnerability in WhatsUp Gold, disclosed on June 25, 2024
CVE-2024-4885 vulnerability in WhatsUp Gold, disclosed on June 25, 2024
9.8
Forced Browsing Vulnerability in Apache OFBiz <18.12.16
CVE-2024-45195 vulnerability in OFBiz, disclosed on September 4, 2024
CVE-2024-45195 vulnerability in OFBiz, disclosed on September 4, 2024
9.8
Hardcoded creds via /cgi-bin/nas_sharing.cgi GET on D-Link DNS-3xx routers
CVE-2024-3272 vulnerability in Multiple NAS Devices, disclosed on April 4, 2024
CVE-2024-3272 vulnerability in Multiple NAS Devices, disclosed on April 4, 2024
9.8
ServiceNow NOW Platform RCE via Improper Input Validation (CVE-2024-5217)
CVE-2024-5217 vulnerability in Utah, Vancouver, and Washington DC Now, disclosed on July 10, 2024
CVE-2024-5217 vulnerability in Utah, Vancouver, and Washington DC Now, disclosed on July 10, 2024
9.8
Adobe Commerce XXE CVE-2024-34102 before 2.4.7 (arbitrary code exec)
CVE-2024-34102 vulnerability in Commerce and Magento Open Source, disclosed on June 13, 2024
CVE-2024-34102 vulnerability in Commerce and Magento Open Source, disclosed on June 13, 2024
9.8
Unrestricted File UL/DR in Cleo Harmony, VLTrader, LexiCom <5.8.0.21 (RCE)
CVE-2024-50623 vulnerability in Multiple Products, disclosed on October 28, 2024
CVE-2024-50623 vulnerability in Multiple Products, disclosed on October 28, 2024
9.8
FortiManager Arbitrary Code Execution caused by Missing Authentication in fgfmsd
CVE-2024-47575 vulnerability in FortiManager, disclosed on October 23, 2024
CVE-2024-47575 vulnerability in FortiManager, disclosed on October 23, 2024
9.8
Unauthenticated Command Injection in PRA/RS Remote Access
CVE-2024-12356 vulnerability in Privileged Remote Access (PRA) and Remote Support (RS) , disclosed on December 17, 2024
CVE-2024-12356 vulnerability in Privileged Remote Access (PRA) and Remote Support (RS) , disclosed on December 17, 2024
9.8
ProjectSend Improper Authentication Vulnerability in options.php
CVE-2024-11680 vulnerability in ProjectSend, disclosed on November 26, 2024
CVE-2024-11680 vulnerability in ProjectSend, disclosed on November 26, 2024
9.8
TeamCity < 2023.11.4 Auth Bypass Exposing Admin Actions
CVE-2024-27198 vulnerability in TeamCity, disclosed on March 4, 2024
CVE-2024-27198 vulnerability in TeamCity, disclosed on March 4, 2024
9.8
Feb 2024: Microsoft Outlook Remote Code Execution Vulnerability
CVE-2024-21413 vulnerability in Office Outlook, disclosed on February 13, 2024
CVE-2024-21413 vulnerability in Office Outlook, disclosed on February 13, 2024
9.8
Cleo Harmony, VLTrader, and LexiCom Remote Code Execution via Autorun Directory
CVE-2024-55956 vulnerability in Multiple Products, disclosed on December 13, 2024
CVE-2024-55956 vulnerability in Multiple Products, disclosed on December 13, 2024
9.8
Cisco Smart Licensing Utility (CSLU): Static Admin Credential Allows Remote Login
CVE-2024-20439 vulnerability in Smart Licensing Utility, disclosed on September 4, 2024
CVE-2024-20439 vulnerability in Smart Licensing Utility, disclosed on September 4, 2024
9.8
Oct 2024: Microsoft Configuration Manager Remote Code Execution Vulnerability
CVE-2024-43468 vulnerability in Configuration Manager, disclosed on October 8, 2024
CVE-2024-43468 vulnerability in Configuration Manager, disclosed on October 8, 2024
9.8
VMware vCenter Server DCERPC Heap Overflow RCE
CVE-2024-37079 vulnerability in VMware vCenter Server, disclosed on June 18, 2024
CVE-2024-37079 vulnerability in VMware vCenter Server, disclosed on June 18, 2024
9.8
VMware vCenter Server DCERPC Heap Overflow RCE
CVE-2024-38812 vulnerability in vCenter Server, disclosed on September 17, 2024
CVE-2024-38812 vulnerability in vCenter Server, disclosed on September 17, 2024
9.8
SolarWinds Web Help Desk Java Deserialization RCE
CVE-2024-28986 vulnerability in Web Help Desk, disclosed on August 13, 2024
CVE-2024-28986 vulnerability in Web Help Desk, disclosed on August 13, 2024
9.8
Unauthenticated Command Injection in GeoVision EOL Devices
CVE-2024-6047 vulnerability in Multiple Devices, disclosed on June 17, 2024
CVE-2024-6047 vulnerability in Multiple Devices, disclosed on June 17, 2024
9.8
GeoVision EOL Devices OS Command Injection Vulnerability
CVE-2024-11120 vulnerability in Multiple Devices, disclosed on November 15, 2024
CVE-2024-11120 vulnerability in Multiple Devices, disclosed on November 15, 2024
9.8
ScienceLogic SL1 Unspecified VULN in 3rdParty Component (fixed 12.1.3+)
CVE-2024-9537 vulnerability in SL1, disclosed on October 18, 2024
CVE-2024-9537 vulnerability in SL1, disclosed on October 18, 2024
9.8
FmtStr RCE in Fortinet FortiOS 7.0-7.4 Arbitrary Code Exec
CVE-2024-23113 vulnerability in Multiple Products, disclosed on February 15, 2024
CVE-2024-23113 vulnerability in Multiple Products, disclosed on February 15, 2024
9.8
Firefox/Thunderbird <131: UAF in Animation Timelines -> Code Exec
CVE-2024-9680 vulnerability in Firefox, disclosed on October 9, 2024
CVE-2024-9680 vulnerability in Firefox, disclosed on October 9, 2024
9.8
Windows 10 1507 SSU Rollback Reopens Optional Comp Vulnerabilities
CVE-2024-43491 vulnerability in Windows, disclosed on September 10, 2024
CVE-2024-43491 vulnerability in Windows, disclosed on September 10, 2024
9.8
Feb 2024: Microsoft Exchange Server Elevation of Privilege Vulnerability
CVE-2024-21410 vulnerability in Exchange Server, disclosed on February 13, 2024
CVE-2024-21410 vulnerability in Exchange Server, disclosed on February 13, 2024
9.6
Fortinet FortiOS 6.0-7.4 OOB Write: Unauth Code Exec (CVE-2024-21762)
CVE-2024-21762 vulnerability in FortiOS, disclosed on February 9, 2024
CVE-2024-21762 vulnerability in FortiOS, disclosed on February 9, 2024
9.6
V8 Type Confusion in Chrome <125.0.6422.60 RCE
CVE-2024-4947 vulnerability in Chromium V8, disclosed on May 15, 2024
CVE-2024-4947 vulnerability in Chromium V8, disclosed on May 15, 2024
9.6
Chrome <124.0.6367.201: Use-After-Free allows sandbox escape via crafted HTML
CVE-2024-4671 vulnerability in Chromium, disclosed on May 14, 2024
CVE-2024-4671 vulnerability in Chromium, disclosed on May 14, 2024
9.4
Unauthenticated Remote Path Traversal in Ivanti CSA before 4.6 Patch 519
CVE-2024-8963 vulnerability in Cloud Services Appliance (CSA), disclosed on September 19, 2024
CVE-2024-8963 vulnerability in Cloud Services Appliance (CSA), disclosed on September 19, 2024
9.3
SQLi in FortiClientEMS v7.2.07.2.2/v7.0.17.0.10 allows exec
CVE-2023-48788 vulnerability in FortiClient EMS, disclosed on March 12, 2024
CVE-2023-48788 vulnerability in FortiClient EMS, disclosed on March 12, 2024
9.3
XSS via message_body desanitization in Roundcube <=1.6.7 (CVE-2024-42009)
CVE-2024-42009 vulnerability in Webmail, disclosed on August 5, 2024
CVE-2024-42009 vulnerability in Webmail, disclosed on August 5, 2024
9.3
SonicWall SonicOS 7.0.1-5035 MM Access Control Vulnerability
CVE-2024-40766 vulnerability in SonicOS, disclosed on August 23, 2024
CVE-2024-40766 vulnerability in SonicOS, disclosed on August 23, 2024
9.1
SolarWinds WHD Hardcoded Credential Remote Unauth Access
CVE-2024-28987 vulnerability in Web Help Desk, disclosed on August 21, 2024
CVE-2024-28987 vulnerability in Web Help Desk, disclosed on August 21, 2024
9.1
Mitel MiCollab 9.8 SP1 FP2 Path-Traversal in NuPoint Unified Messaging (CVE-2024-41713)
CVE-2024-41713 vulnerability in MiCollab, disclosed on October 21, 2024
CVE-2024-41713 vulnerability in MiCollab, disclosed on October 21, 2024
9.1
Apache OFBiz Path Traversal before v18.12.13
CVE-2024-32113 vulnerability in OFBiz, disclosed on May 8, 2024
CVE-2024-32113 vulnerability in OFBiz, disclosed on May 8, 2024
9.1
Apache HTTP Server 2.4.59 and earlier: mod_rewrite Improper Escaping Bypass
CVE-2024-38475 vulnerability in HTTP Server, disclosed on July 1, 2024
CVE-2024-38475 vulnerability in HTTP Server, disclosed on July 1, 2024
9.1
PTZOptics PT30X-SDI/NDIv FW<6.3.40 - Auth Bypass on /cgi-bin/param.cgi
CVE-2024-8956 vulnerability in PT30X-SDI/NDI Cameras, disclosed on September 17, 2024
CVE-2024-8956 vulnerability in PT30X-SDI/NDI Cameras, disclosed on September 17, 2024
8.8
Oracle Agile PLM 9.3.6 Export RCE via HTTP
CVE-2024-20953 vulnerability in Agile Product Lifecycle Management (PLM), disclosed on February 17, 2024
CVE-2024-20953 vulnerability in Agile Product Lifecycle Management (PLM), disclosed on February 17, 2024
8.8
Nov 2024: Windows Task Scheduler Elevation of Privilege Vulnerability
CVE-2024-49039 vulnerability in Windows, disclosed on November 12, 2024
CVE-2024-49039 vulnerability in Windows, disclosed on November 12, 2024
8.8
Apr 2024: SmartScreen Prompt Security Feature Bypass Vulnerability
CVE-2024-29988 vulnerability in SmartScreen Prompt, disclosed on April 9, 2024
CVE-2024-29988 vulnerability in SmartScreen Prompt, disclosed on April 9, 2024
8.8
Aug 2024: Microsoft Project Remote Code Execution Vulnerability
CVE-2024-38189 vulnerability in Project, disclosed on August 13, 2024
CVE-2024-38189 vulnerability in Project, disclosed on August 13, 2024
8.8
Google Chrome V8 Heap Corruption via Crafted HTML before 128.0.6613.84
CVE-2024-7965 vulnerability in Chromium V8, disclosed on August 21, 2024
CVE-2024-7965 vulnerability in Chromium V8, disclosed on August 21, 2024
8.8
May 2024: Windows MSHTML Platform Security Feature Bypass Vulnerability
CVE-2024-30040 vulnerability in Windows, disclosed on May 14, 2024
CVE-2024-30040 vulnerability in Windows, disclosed on May 14, 2024
8.8
Sep 2024: Windows MSHTML Platform Spoofing Vulnerability
CVE-2024-43461 vulnerability in Windows, disclosed on September 10, 2024
CVE-2024-43461 vulnerability in Windows, disclosed on September 10, 2024
8.8
Apple Safari Web Content Arbitrary Code Execution
CVE-2024-44308 vulnerability in Multiple Products, disclosed on November 20, 2024
CVE-2024-44308 vulnerability in Multiple Products, disclosed on November 20, 2024
8.8
High CVE-2024-7971: Type Confusion in V8 before 128.0.6613.84 (Google Chrome)
CVE-2024-7971 vulnerability in Chromium V8, disclosed on August 21, 2024
CVE-2024-7971 vulnerability in Chromium V8, disclosed on August 21, 2024
8.8
Apple OS: Type confusion flaw enabling arbitrary code exec (fixed 17.3/14.3)
CVE-2024-23222 vulnerability in Multiple Products, disclosed on January 23, 2024
CVE-2024-23222 vulnerability in Multiple Products, disclosed on January 23, 2024
8.8
OVB Memory Access in V8 Chrome<120 Heap Corrupt via Crafted HTML
CVE-2024-0519 vulnerability in Chromium V8, disclosed on January 16, 2024
CVE-2024-0519 vulnerability in Chromium V8, disclosed on January 16, 2024
8.7
Nov 2024: Partner.Microsoft.Com Elevation of Privilege Vulnerability
CVE-2024-49035 vulnerability in Partner Center, disclosed on November 26, 2024
CVE-2024-49035 vulnerability in Partner Center, disclosed on November 26, 2024
8.6
SolarWinds Serv-U Dir Trav Exposes Sensitive Files
CVE-2024-28995 vulnerability in Serv-U, disclosed on June 6, 2024
CVE-2024-28995 vulnerability in Serv-U, disclosed on June 6, 2024
8.6
Checkpoint VPN Information Disclosure Leading to Remote Auth
CVE-2024-24919 vulnerability in Quantum Security Gateways, disclosed on May 28, 2024
CVE-2024-24919 vulnerability in Quantum Security Gateways, disclosed on May 28, 2024
8.6
Cisco ASA/FTD VPN Websrv DoS via HTTP Header Parsing
CVE-2024-20353 vulnerability in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD), disclosed on April 24, 2024
CVE-2024-20353 vulnerability in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD), disclosed on April 24, 2024
8.4
Justice AV Viewer Setup 8.3.7.250-1 Authenticode Bypass
CVE-2024-4978 vulnerability in Viewer , disclosed on May 23, 2024
CVE-2024-4978 vulnerability in Viewer , disclosed on May 23, 2024
8.3
Chrome V8 Type Confusion RCE 125.0.6422.112
CVE-2024-5274 vulnerability in Chromium V8, disclosed on May 28, 2024
CVE-2024-5274 vulnerability in Chromium V8, disclosed on May 28, 2024
8.3
Google Chrome V8 OOB Write (v<124.0.6367.207)
CVE-2024-4761 vulnerability in Chromium Visuals, disclosed on May 14, 2024
CVE-2024-4761 vulnerability in Chromium Visuals, disclosed on May 14, 2024
8.2
Citrix NetScaler ADC/Gateway OOB Buffer Read DoS
CVE-2023-6549 vulnerability in NetScaler ADC and NetScaler Gateway, disclosed on January 17, 2024
CVE-2023-6549 vulnerability in NetScaler ADC and NetScaler Gateway, disclosed on January 17, 2024
8.1
Apache OFBiz 18.12.14 - Unauth Authorization for Screen Rendering
CVE-2024-38856 vulnerability in OFBiz, disclosed on August 5, 2024
CVE-2024-38856 vulnerability in OFBiz, disclosed on August 5, 2024
8.1
Feb 2024: Internet Shortcut Files Security Feature Bypass Vulnerability
CVE-2024-21412 vulnerability in Windows, disclosed on February 13, 2024
CVE-2024-21412 vulnerability in Windows, disclosed on February 13, 2024
8.1
Local Priv Escal via Logic Error in Unknown Product CVE-2024-32896
CVE-2024-32896 vulnerability in Pixel, disclosed on June 13, 2024
CVE-2024-32896 vulnerability in Pixel, disclosed on June 13, 2024
7.8
Dec 2024: Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2024-49138 vulnerability in Windows, disclosed on December 12, 2024
CVE-2024-49138 vulnerability in Windows, disclosed on December 12, 2024
7.8
Linux Kernel netfilter nf_tables Use-After-Free CA PrivEsc via NF_DROP
CVE-2024-1086 vulnerability in Kernel, disclosed on January 31, 2024
CVE-2024-1086 vulnerability in Kernel, disclosed on January 31, 2024
7.8
Feb 2024: Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-21338 vulnerability in Windows, disclosed on February 13, 2024
CVE-2024-21338 vulnerability in Windows, disclosed on February 13, 2024
7.8
Aug 2024: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2024-38193 vulnerability in Windows, disclosed on August 13, 2024
CVE-2024-38193 vulnerability in Windows, disclosed on August 13, 2024
7.8
Jun 2024: Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
CVE-2024-35250 vulnerability in Windows, disclosed on June 11, 2024
CVE-2024-35250 vulnerability in Windows, disclosed on June 11, 2024
7.8
Oct 2024: Microsoft Management Console Remote Code Execution Vulnerability
CVE-2024-43572 vulnerability in Windows, disclosed on October 8, 2024
CVE-2024-43572 vulnerability in Windows, disclosed on October 8, 2024
7.8
May 2024: Windows DWM Core Library Elevation of Privilege Vulnerability
CVE-2024-30051 vulnerability in DWM Core Library, disclosed on May 14, 2024
CVE-2024-30051 vulnerability in DWM Core Library, disclosed on May 14, 2024
7.8
Mar 2024: Windows Error Reporting Service Elevation of Privilege Vulnerability
CVE-2024-26169 vulnerability in Windows, disclosed on March 12, 2024
CVE-2024-26169 vulnerability in Windows, disclosed on March 12, 2024
7.8
Jul 2024: Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2024-38080 vulnerability in Windows , disclosed on July 9, 2024
CVE-2024-38080 vulnerability in Windows , disclosed on July 9, 2024
7.8
Linux Kernel UVC Video Format Parsing Out-of-Bounds Write Vulnerability
CVE-2024-53104 vulnerability in Kernel, disclosed on December 2, 2024
CVE-2024-53104 vulnerability in Kernel, disclosed on December 2, 2024
7.8
Sep 2024: Windows Installer Elevation of Privilege Vulnerability
CVE-2024-38014 vulnerability in Windows, disclosed on September 10, 2024
CVE-2024-38014 vulnerability in Windows, disclosed on September 10, 2024
7.8
Aug 2024: Windows Power Dependency Coordinator Elevation of Privilege Vulnerability
CVE-2024-38107 vulnerability in Windows, disclosed on August 13, 2024
CVE-2024-38107 vulnerability in Windows, disclosed on August 13, 2024
7.8
Linux Kernel ALSA usb-audio OOB via bNumConfigurations
CVE-2024-53197 vulnerability in Kernel, disclosed on December 27, 2024
CVE-2024-53197 vulnerability in Kernel, disclosed on December 27, 2024
7.8
CVE-2024-43047: Memory Corruption in HLOS Memory Map Handling
CVE-2024-43047 vulnerability in Multiple Chipsets , disclosed on October 7, 2024
CVE-2024-43047 vulnerability in Multiple Chipsets , disclosed on October 7, 2024
7.8
Linux Kernel: __dst_negative_advice Race Enables UAF via RCU Violation
CVE-2024-36971 vulnerability in Kernel, disclosed on June 10, 2024
CVE-2024-36971 vulnerability in Kernel, disclosed on June 10, 2024
7.8
Local Priv Escalation via Logic Error User Interaction Required
CVE-2024-29748 vulnerability in Pixel, disclosed on April 5, 2024
CVE-2024-29748 vulnerability in Pixel, disclosed on April 5, 2024
7.8
Apple iOS/iPadOS Kernel Memory Corruption Fixed in 17.4 (CVE-2024-23296)
CVE-2024-23296 vulnerability in iOS and iPadOS, disclosed on March 5, 2024
CVE-2024-23296 vulnerability in iOS and iPadOS, disclosed on March 5, 2024
7.8
Apple iOS/iPadOS Kernel Corruption (before iOS 17.4)
CVE-2024-23225 vulnerability in iOS and iPadOS, disclosed on March 5, 2024
CVE-2024-23225 vulnerability in iOS and iPadOS, disclosed on March 5, 2024
7.8
Useafterfree in Apple iOS 17/iPadOS kernel arbitrary code exec
CVE-2023-41974 vulnerability in iOS and iPadOS, disclosed on January 10, 2024
CVE-2023-41974 vulnerability in iOS and iPadOS, disclosed on January 10, 2024
7.6
Feb 2024: Windows SmartScreen Security Feature Bypass Vulnerability
CVE-2024-21351 vulnerability in Windows, disclosed on February 13, 2024
CVE-2024-21351 vulnerability in Windows, disclosed on February 13, 2024
7.5
Mar 2024: .NET Framework Information Disclosure Vulnerability
CVE-2024-29059 vulnerability in .NET Framework, disclosed on March 23, 2024
CVE-2024-29059 vulnerability in .NET Framework, disclosed on March 23, 2024
7.5
Jul 2024: Windows MSHTML Platform Spoofing Vulnerability
CVE-2024-38112 vulnerability in Windows, disclosed on July 9, 2024
CVE-2024-38112 vulnerability in Windows, disclosed on July 9, 2024
7.5
Unauthenticated HTTP Remote Access, Oracle Agile PLM Framework 9.3.6 SDK
CVE-2024-21287 vulnerability in Agile Product Lifecycle Management (PLM), disclosed on November 18, 2024
CVE-2024-21287 vulnerability in Agile Product Lifecycle Management (PLM), disclosed on November 18, 2024
7.5
Zyxel ATP, USG FLEX, and USG20(W)-VPN Series Directory Traversal Vulnerability
CVE-2024-11667 vulnerability in Multiple Firewalls, disclosed on November 27, 2024
CVE-2024-11667 vulnerability in Multiple Firewalls, disclosed on November 27, 2024
7.5
Aug 2024: Scripting Engine Memory Corruption Vulnerability
CVE-2024-38178 vulnerability in Windows, disclosed on August 13, 2024
CVE-2024-38178 vulnerability in Windows, disclosed on August 13, 2024
Report Last Updated: April 15, 2026