Top 10 CVEs of 2022

2022

Six data-derived top-10 lists for CVEs published or KEV-added in 2022. No editorial scoring; everything below is computed directly from the ingested corpus.

Top 10 most severe CVEs of 2022

Ranked by CVSS v3 base score, descending. Ties broken by KEV status, then EPSS score, then publish date.

#CVESeverityCVSSKEVSummary
1CVE-2022-0543Critical10.0KEVIt was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.
2CVE-2022-24816Critical10.0KEVJAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API.
3CVE-2022-22947Critical10.0KEVIn spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.
4CVE-2022-22536Critical10.0KEVSAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation.
5CVE-2022-27593Critical10.0KEVAn externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station.
6CVE-2022-20699Critical10.0KEVMultiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication a…
7CVE-2022-20708Critical10.0KEVMultiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication a…
8CVE-2022-20701Critical10.0KEVMultiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication a…
9CVE-2022-20703Critical10.0KEVMultiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication a…
10CVE-2022-20700Critical10.0KEVMultiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication a…

Top 10 actively exploited CVEs of 2022

CVEs added to the CISA Known Exploited Vulnerabilities catalog during the year, newest first. Empty for pre-2021 years.

#CVESeverityCVSSKEVAddedSummary
1CVE-2018-18809Medium6.5KEV2022-12-29The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server…
2CVE-2018-5430High8.8KEV2022-12-29The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Repo…
3CVE-2022-42856High8.8KEV2022-12-14A type confusion issue was addressed with improved state handling.
4CVE-2022-42475Critical9.8KEV2022-12-13A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier…
5CVE-2022-44698Medium5.4KEV2022-12-13Windows SmartScreen Security Feature Bypass Vulnerability
6CVE-2022-27518Critical9.8KEV2022-12-13Unauthenticated remote arbitrary code execution
7CVE-2022-26501Critical9.8KEV2022-12-13Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).
8CVE-2022-26500High8.8KEV2022-12-13Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code.
9CVE-2022-4262High8.8KEV2022-12-05Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
10CVE-2022-4135Critical9.6KEV2022-11-28Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Top 10 highest-EPSS CVEs of 2022

FIRST.org Exploit Prediction Scoring System scores, descending. EPSS estimates the probability a CVE will be exploited in the next 30 days.

#CVESeverityCVSSKEVEPSSSummary
1CVE-2022-29464Critical9.8KEV1.000Certain WSO2 products allow unrestricted file upload with resultant remote code execution.
2CVE-2022-26134Critical9.8KEV1.000In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.
3CVE-2022-22954Critical9.8KEV1.000VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection.
4CVE-2022-44877Critical9.8KEV1.000login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.
5CVE-2022-40684Critical9.8KEV1.000An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 an…
6CVE-2022-47986Critical9.8KEV1.000IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw.
7CVE-2022-41082High8.0KEV1.000Microsoft Exchange Server Remote Code Execution Vulnerability
8CVE-2022-1388Critical9.8KEV1.000On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authen…
9CVE-2022-41040High8.8KEV0.999Microsoft Exchange Server Elevation of Privilege Vulnerability
10CVE-2022-35405Critical9.8KEV0.999Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution.

Top 10 most PoC-covered CVEs of 2022

Ranked by the count of indexed public proof-of-concept repositories. Higher counts correlate with weaponisation effort.

#CVESeverityCVSSKEVPoCsSummary
1CVE-2022-0847High7.8KEV557A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values.
2CVE-2022-22965Critical9.8KEV480A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
3CVE-2022-26134Critical9.8KEV299In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.
4CVE-2022-30190High7.8KEV267A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word.
5CVE-2022-22947Critical10.0KEV244In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.
6CVE-2022-1388Critical9.8KEV220On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authen…
7CVE-2022-22963Critical9.8KEV202In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution…
8CVE-2022-42889Critical9.8154Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded.
9CVE-2022-22954Critical9.8KEV136VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection.
10CVE-2022-29464Critical9.8KEV133Certain WSO2 products allow unrestricted file upload with resultant remote code execution.

Top 10 most-vulnerable vendors of 2022

Vendors ranked by distinct CVE count for the year. Counts include every CVE attached to any product the vendor ships in our CPE map.

#VendorCVE count
1N/a8900
2Linux2690
3Google1906
4Microsoft1774
5Unknown1175
6Apple901
7Fedoraproject835
8Debian800
9Oracle506
10Netapp428

Top 10 most-common CWEs of 2022

CWE classification ids ranked by the count of CVEs published in the year that carry them. Each CVE typically lists 1–3 CWE ids; counts reflect the union of those lists across the year's corpus.

#CWENameCVE count
1CWE-79Cross-site Scripting3052
2CWE-787Out-of-bounds Write2201
3CWE-89SQL Injection1661
4CWE-125Out-of-bounds Read895
5CWE-416Use After Free879
6CWE-22Path Traversal736
7CWE-352Cross-Site Request Forgery (CSRF)734
8CWE-78OS Command Injection649
9CWE-20Improper Input Validation646
10CWE-862Missing Authorization627