EXPLORE
CVE Explorer
QUICK
EPSS × CVSS TRIAGE QUADRANT · UPPER-RIGHT = PATCH NOW
BY SEVERITY · 254,375 ANALYZED
EPSS DISTRIBUTION · EXPLOIT PROBABILITY
DISPOSITION FUNNEL254,375 → 1609 patch-now
| CVE | SEV | CVSS | EPSS | KEV | DISPOSITION | VENDOR · PRODUCT | CWE | SUMMARY | FIX | CVE PUBLISHED | WE COVERED | AGE | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CVE-2023-23752 | MED | 5.3 | 95% | KEV | PATCH NOW | Joomla! · Joomla! | CWE-284 | An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints. | Patch available | Feb 16, 23 | Jun 2, 26 | 1202d | |
| CVE-2017-8917 | CRIT | 9.8 | 95% | — | PATCH SOON | n/a · n/a | CWE-89 | SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors. | Patch available | May 17, 17 | pending | 3303d | |
| CVE-2018-1000861 | CRIT | 9.8 | 94% | KEV | PATCH NOW | Jenkins · Jenkins Stapler Web Framework | CWE-502 | A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invo | Patch available | Dec 10, 18 | Jun 2, 26 | 2731d | |
| CVE-2018-7600 | CRIT | 9.8 | 94% | KEV | PATCH NOW | Drupal · Drupal Core | CWE-20 | Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configura | Patch available | Mar 29, 18 | Jun 2, 26 | 2987d | |
| CVE-2021-22986 | CRIT | 9.8 | 94% | KEV | PATCH NOW | F5 · BIG-IP and BIG-IQ Centralized Management | CWE-918 | On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST | Patch available | Mar 31, 21 | Jun 2, 26 | 1889d | |
| CVE-2017-1000353 | CRIT | 9.8 | 94% | KEV | PATCH NOW | Jenkins · Jenkins | CWE-502 | Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a seria | Patch available | Jan 29, 18 | Jun 2, 26 | 3046d | |
| CVE-2021-22205 | CRIT | 10.0 | 94% | KEV | PATCH NOW | GitLab · Community and Enterprise Editions | CWE-94 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution. | Patch available | Apr 23, 21 | Jun 2, 26 | 1866d | |
| CVE-2024-6670 | CRIT | 9.8 | 94% | KEV | PATCH NOW | Progress · WhatsUp Gold | — | In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password. | Patch available | Aug 29, 24 | Jun 2, 26 | 642d | |
| CVE-2024-23897 | CRIT | 9.8 | 94% | KEV | PATCH NOW | Jenkins · Jenkins Command Line Interface (CLI) | CWE-22 | Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthentic | Patch available | Jan 24, 24 | Jun 2, 26 | 860d | |
| CVE-2019-3396 | CRIT | 9.8 | 94% | KEV | PATCH NOW | Atlassian · Confluence Server and Data Server | CWE-22 | The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed | Patch available | Mar 25, 19 | Jun 2, 26 | 2626d | |
| CVE-2020-1938 | CRIT | 9.8 | 94% | KEV | PATCH NOW | Apache · Tomcat | — | When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If su | Patch available | Feb 24, 20 | Jun 2, 26 | 2290d | |
| CVE-2019-2725 | CRIT | 9.8 | 94% | KEV | PATCH NOW | Oracle · WebLogic Server | CWE-74 | Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows | Patch available | Apr 26, 19 | Jun 2, 26 | 2594d | |
| CVE-2022-46169 | CRIT | 9.8 | 94% | KEV | PATCH NOW | Cacti · Cacti | CWE-74 | Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated us | Patch available | Dec 5, 22 | Jun 2, 26 | 1275d | |
| CVE-2018-13379 | CRIT | 9.1 | 94% | KEV | PATCH NOW | Fortinet · FortiOS | CWE-22 | An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0. | Patch available | Jun 4, 19 | Jun 2, 26 | 2555d | |
| CVE-2019-17558 | HIGH | 7.5 | 94% | KEV | PATCH NOW | Apache · Solr | CWE-74 | Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/` directory or | Patch available | Dec 30, 19 | Jun 2, 26 | 2346d | |
| CVE-2022-22947 | CRIT | 10.0 | 94% | KEV | PATCH NOW | VMware · Spring Cloud Gateway | CWE-94 | In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a ma | Patch available | Mar 3, 22 | Jun 2, 26 | 1552d | |
| CVE-2019-11510 | CRIT | 10.0 | 94% | KEV | PATCH NOW | Ivanti · Pulse Connect Secure | CWE-22 | In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnera | Patch available | May 8, 19 | Jun 2, 26 | 2582d | |
| CVE-2019-16662 | CRIT | 9.8 | 94% | — | PATCH SOON | n/a · n/a | CWE-78 | An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the rootUname parameter is passed to the exec function without filt | — | Oct 28, 19 | pending | 2409d | |
| CVE-2019-15107 | CRIT | 9.8 | 94% | KEV | PATCH NOW | Webmin · Webmin | CWE-78 | An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability. | Patch available | Aug 15, 19 | Jun 2, 26 | 2483d | |
| CVE-2021-22005 | CRIT | 9.8 | 94% | KEV | PATCH NOW | VMware · vCenter Server | CWE-22 | The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by | Patch available | Sep 23, 21 | Jun 2, 26 | 1713d |
/ searchF filterJK next/prev⏎ openEPSS bars from FIRST.org · severity from CVSS v3.1 · disposition synthesized from KEV + exploit-maturity + CVSS + EPSS signals