Vulnerabilities (CVE)

Filtered by CWE-20
Total 11617 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-3075 2 Fedoraproject, Google 2 Fedora, Chrome 2026-06-17 N/A 9.6 CRITICAL
Insufficient data validation in Mojo in Google Chrome prior to 105.0.5195.102 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
CVE-2022-3001 1 Milesight 2 Video Management Systems, Video Management Systems Firmware 2026-06-17 N/A 7.5 HIGH
This vulnerability exists in Milesight Video Management Systems (VMS), all firmware versions prior to 40.7.0.79-r1, due to improper input handling at camera’s web-based management interface. A remote attacker could exploit this vulnerability by sending a specially crafted http request on the targeted network camera. Successful exploitation of this vulnerability could allow the attacker to cause a Denial of Service condition on the targeted device.
CVE-2022-39880 1 Google 1 Android 2026-06-17 N/A 7.1 HIGH
Improper input validation vulnerability in DualOutFocusViewer prior to SMR Nov-2022 Release 1 allows local attacker to perform an arbitrary code execution.
CVE-2022-39389 2 Btcd Project, Lightning Network Daemon Project 2 Btcd, Lightning Network Daemon 2026-06-17 N/A 8.2 HIGH
Lightning Network Daemon (lnd) is an implementation of a lightning bitcoin overlay network node. All lnd nodes before version `v0.15.4` are vulnerable to a block parsing bug that can cause a node to enter a degraded state once encountered. In this degraded state, nodes can continue to make payments and forward HTLCs, and close out channels. Opening channels is prohibited, and also on chain transaction events will be undetected. This can cause loss of funds if a CSV expiry is researched during a breach attempt or a CLTV delta expires forgetting the funds in the HTLC. A patch is available in `lnd` version 0.15.4. Users are advised to upgrade. Users unable to upgrade may use the `lncli updatechanpolicy` RPC call to increase their CLTV value to a very high amount or increase their fee policies. This will prevent nodes from routing through your node, meaning that no pending HTLCs can be present.
CVE-2022-39376 1 Glpi-project 1 Glpi 2026-06-17 N/A 2.6 LOW
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Users may be able to inject custom fields values in `mailto` links. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds.
CVE-2022-39353 2 Debian, Xmldom Project 2 Debian Linux, Xmldom 2026-06-17 N/A 9.4 CRITICAL
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.
CVE-2022-39346 2 Fedoraproject, Nextcloud 3 Fedora, Nextcloud Enterprise Server, Nextcloud Server 2026-06-17 N/A 3.5 LOW
Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did not properly limit user display names which could allow a malicious users to overload the backing database and cause a denial of service. It is recommended that the Nextcloud Server is upgraded to 22.2.10, 23.0.7 or 24.0.3. There are no known workarounds for this issue.
CVE-2022-39338 1 Nextcloud 1 Openid Connect User Backend 2026-06-17 N/A 3.5 LOW
user_oidc is an OpenID Connect user backend for Nextcloud. Versions prior to 1.2.1 did not properly validate discovery urls which may lead to a stored cross site scripting attack vector. The impact is limited due to the restrictive CSP that is applied on this endpoint. Additionally this vulnerability has only been shown to be exploitable in the Safari web browser. This issue has been addressed in version 1.2.1. Users are advised to upgrade. Users unable to upgrade should urge their users to avoid using the Safari web browser.
CVE-2022-39318 2 Fedoraproject, Freerdp 2 Fedora, Freerdp 2026-06-17 N/A 4.8 MEDIUM
FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input validation in `urbdrc` channel. A malicious server can trick a FreeRDP based client to crash with division by zero. This issue has been addressed in version 2.9.0. All users are advised to upgrade. Users unable to upgrade should not use the `/usb` redirection switch.
CVE-2022-39306 1 Grafana 1 Grafana 2026-06-17 N/A 6.4 MEDIUM
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization. This introduces a vulnerability which can be used with malicious intent. This issue is patched in version 9.2.4, and has been backported to 8.5.15. There are no known workarounds.
CVE-2022-39291 1 Zoneminder 1 Zoneminder 2026-06-17 N/A 5.4 MEDIUM
ZoneMinder is a free, open source Closed-circuit television software application. Affected versions of zoneminder are subject to a vulnerability which allows users with "View" system permissions to inject new data into the logs stored by Zoneminder. This was observed through an HTTP POST request containing log information to the "/zm/index.php" endpoint. Submission is not rate controlled and could affect database performance and/or consume all storage resources. Users are advised to upgrade. There are no known workarounds for this issue.
CVE-2022-39266 1 Isolated-vm Project 1 Isolated-vm 2026-06-17 N/A 9.6 CRITICAL
isolated-vm is a library for nodejs which gives the user access to v8's Isolate interface. In versions 4.3.6 and prior, if the untrusted v8 cached data is passed to the API through CachedDataOptions, attackers can bypass the sandbox and run arbitrary code in the nodejs process. Version 4.3.7 changes the documentation to warn users that they should not accept `cachedData` payloads from a user.
CVE-2022-39060 1 Changingtec 1 Megaservisignadapter 2026-06-17 N/A 9.8 CRITICAL
ChangingTech MegaServiSignAdapter component has a vulnerability of improper input validation. An unauthenticated remote attacker can exploit this vulnerability to access and modify HKEY_CURRENT_USER subkey (ex: AutoRUN) in Registry where malicious scripts can be executed to take control of the system or to terminate the service.
CVE-2022-39012 1 Huawei 2 Aslan-al10, Aslan-al10 Firmware 2026-06-17 N/A 7.5 HIGH
Huawei Aslan Children's Watch has an improper input validation vulnerability. Successful exploitation may cause the watch's application service abnormal.
CVE-2022-38985 1 Huawei 2 Emui, Harmonyos 2026-06-17 N/A 7.5 HIGH
The facial recognition module has a vulnerability in input validation.Successful exploitation of this vulnerability may affect data confidentiality.
CVE-2022-38900 1 Decode-uri-component Project 1 Decode-uri-component 2026-06-17 N/A 7.5 HIGH
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
CVE-2022-38778 2 Decode-uri-component Project, Elastic 2 Decode-uri-component, Kibana 2026-06-17 N/A 6.5 MEDIUM
A flaw (CVE-2022-38900) was discovered in one of Kibana’s third party dependencies, that could allow an authenticated user to perform a request that crashes the Kibana server process.
CVE-2022-38435 3 Adobe, Apple, Microsoft 3 Illustrator, Macos, Windows 2026-06-17 N/A 7.8 HIGH
Adobe Illustrator versions 26.4 (and earlier) and 25.4.7 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2022-38408 3 Adobe, Apple, Microsoft 3 Illustrator, Macos, Windows 2026-06-17 N/A 7.8 HIGH
Adobe Illustrator versions 26.4 (and earlier) and 25.4.7 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. requires user interaction in that a victim must open a malicious file.
CVE-2022-38385 2 Ibm, Linux 2 Cloud Pak For Security, Linux Kernel 2026-06-17 N/A 7.1 HIGH
IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.2.0 could allow an authenticated user to obtain highly sensitive information or perform unauthorized actions due to improper input validation. IBM X-Force ID: 233777.