EXPLORE
CVE Explorer
QUICK
EPSS × CVSS TRIAGE QUADRANT · UPPER-RIGHT = PATCH NOW
BY SEVERITY · 254,375 ANALYZED
EPSS DISTRIBUTION · EXPLOIT PROBABILITY
DISPOSITION FUNNEL254,375 → 1609 patch-now
| CVE | SEV | CVSS | EPSS | KEV | DISPOSITION | VENDOR · PRODUCT | CWE | SUMMARY | FIX | CVE PUBLISHED | WE COVERED | AGE | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CVE-2023-23752 | MED | 5.3 | 95% | KEV | PATCH NOW | Joomla! · Joomla! | CWE-284 | An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints. | Patch available | Feb 16, 23 | Jun 2, 26 | 1202d | |
| CVE-2017-8917 | CRIT | 9.8 | 95% | — | PATCH SOON | n/a · n/a | CWE-89 | SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors. | Patch available | May 17, 17 | pending | 3303d | |
| CVE-2018-1000861 | CRIT | 9.8 | 94% | KEV | PATCH NOW | Jenkins · Jenkins Stapler Web Framework | CWE-502 | A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invo | Patch available | Dec 10, 18 | Jun 2, 26 | 2731d | |
| CVE-2021-22986 | CRIT | 9.8 | 94% | KEV | PATCH NOW | F5 · BIG-IP and BIG-IQ Centralized Management | CWE-918 | On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST | Patch available | Mar 31, 21 | Jun 2, 26 | 1889d | |
| CVE-2018-7600 | CRIT | 9.8 | 94% | KEV | PATCH NOW | Drupal · Drupal Core | CWE-20 | Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configura | Patch available | Mar 29, 18 | Jun 2, 26 | 2987d | |
| CVE-2017-1000353 | CRIT | 9.8 | 94% | KEV | PATCH NOW | Jenkins · Jenkins | CWE-502 | Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a seria | Patch available | Jan 29, 18 | Jun 2, 26 | 3046d | |
| CVE-2021-22205 | CRIT | 10.0 | 94% | KEV | PATCH NOW | GitLab · Community and Enterprise Editions | CWE-94 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution. | Patch available | Apr 23, 21 | Jun 2, 26 | 1866d | |
| CVE-2022-46169 | CRIT | 9.8 | 94% | KEV | PATCH NOW | Cacti · Cacti | CWE-74 | Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated us | Patch available | Dec 5, 22 | Jun 2, 26 | 1275d | |
| CVE-2019-2725 | CRIT | 9.8 | 94% | KEV | PATCH NOW | Oracle · WebLogic Server | CWE-74 | Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows | Patch available | Apr 26, 19 | Jun 2, 26 | 2594d | |
| CVE-2024-23897 | CRIT | 9.8 | 94% | KEV | PATCH NOW | Jenkins · Jenkins Command Line Interface (CLI) | CWE-22 | Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthentic | Patch available | Jan 24, 24 | Jun 2, 26 | 860d | |
| CVE-2020-1938 | CRIT | 9.8 | 94% | KEV | PATCH NOW | Apache · Tomcat | — | When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If su | Patch available | Feb 24, 20 | Jun 2, 26 | 2290d | |
| CVE-2024-6670 | CRIT | 9.8 | 94% | KEV | PATCH NOW | Progress · WhatsUp Gold | — | In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password. | Patch available | Aug 29, 24 | Jun 2, 26 | 642d | |
| CVE-2019-3396 | CRIT | 9.8 | 94% | KEV | PATCH NOW | Atlassian · Confluence Server and Data Server | CWE-22 | The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed | Patch available | Mar 25, 19 | Jun 2, 26 | 2626d | |
| CVE-2018-13379 | CRIT | 9.1 | 94% | KEV | PATCH NOW | Fortinet · FortiOS | CWE-22 | An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0. | Patch available | Jun 4, 19 | Jun 2, 26 | 2555d | |
| CVE-2019-17558 | HIGH | 7.5 | 94% | KEV | PATCH NOW | Apache · Solr | CWE-74 | Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/` directory or | Patch available | Dec 30, 19 | Jun 2, 26 | 2346d | |
| CVE-2019-11510 | CRIT | 10.0 | 94% | KEV | PATCH NOW | Ivanti · Pulse Connect Secure | CWE-22 | In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnera | Patch available | May 8, 19 | Jun 2, 26 | 2582d | |
| CVE-2022-22947 | CRIT | 10.0 | 94% | KEV | PATCH NOW | VMware · Spring Cloud Gateway | CWE-94 | In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a ma | Patch available | Mar 3, 22 | Jun 2, 26 | 1552d | |
| CVE-2022-1388 | CRIT | 9.8 | 94% | KEV | PATCH NOW | F5 · BIG-IP | CWE-306 | On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass i | Patch available | May 5, 22 | Jun 2, 26 | 1489d | |
| CVE-2021-22005 | CRIT | 9.8 | 94% | KEV | PATCH NOW | VMware · vCenter Server | CWE-22 | The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by | Patch available | Sep 23, 21 | Jun 2, 26 | 1713d | |
| CVE-2022-44877 | CRIT | 9.8 | 94% | KEV | PATCH NOW | CWP · Control Web Panel | CWE-78 | login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter. | — | Jan 5, 23 | Jun 2, 26 | 1244d |
/ searchF filterJK next/prev⏎ openEPSS bars from FIRST.org · severity from CVSS v3.1 · disposition synthesized from KEV + exploit-maturity + CVSS + EPSS signals