Top 10 CVEs of 2022
2022
Six data-derived top-10 lists for CVEs published or KEV-added in 2022. No editorial scoring; everything below is computed directly from the ingested corpus.
Top 10 most severe CVEs of 2022
Ranked by CVSS v3 base score, descending. Ties broken by KEV status, then EPSS score, then publish date.
| # | CVE | Severity | CVSS | KEV | Summary |
|---|---|---|---|---|---|
| 1 | CVE-2022-0543 | Critical | 10.0 | KEV | It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution. |
| 2 | CVE-2022-24816 | Critical | 10.0 | KEV | JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. |
| 3 | CVE-2022-22947 | Critical | 10.0 | KEV | In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. |
| 4 | CVE-2022-22536 | Critical | 10.0 | KEV | SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. |
| 5 | CVE-2022-27593 | Critical | 10.0 | KEV | An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. |
| 6 | CVE-2022-20699 | Critical | 10.0 | KEV | Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication a… |
| 7 | CVE-2022-20708 | Critical | 10.0 | KEV | Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication a… |
| 8 | CVE-2022-20701 | Critical | 10.0 | KEV | Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication a… |
| 9 | CVE-2022-20703 | Critical | 10.0 | KEV | Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication a… |
| 10 | CVE-2022-20700 | Critical | 10.0 | KEV | Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication a… |
Top 10 actively exploited CVEs of 2022
CVEs added to the CISA Known Exploited Vulnerabilities catalog during the year, newest first. Empty for pre-2021 years.
| # | CVE | Severity | CVSS | KEV | Added | Summary |
|---|---|---|---|---|---|---|
| 1 | CVE-2018-18809 | Medium | 6.5 | KEV | 2022-12-29 | The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server… |
| 2 | CVE-2018-5430 | High | 8.8 | KEV | 2022-12-29 | The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Repo… |
| 3 | CVE-2022-42856 | High | 8.8 | KEV | 2022-12-14 | A type confusion issue was addressed with improved state handling. |
| 4 | CVE-2022-42475 | Critical | 9.8 | KEV | 2022-12-13 | A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier… |
| 5 | CVE-2022-44698 | Medium | 5.4 | KEV | 2022-12-13 | Windows SmartScreen Security Feature Bypass Vulnerability |
| 6 | CVE-2022-27518 | Critical | 9.8 | KEV | 2022-12-13 | Unauthenticated remote arbitrary code execution |
| 7 | CVE-2022-26501 | Critical | 9.8 | KEV | 2022-12-13 | Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2). |
| 8 | CVE-2022-26500 | High | 8.8 | KEV | 2022-12-13 | Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code. |
| 9 | CVE-2022-4262 | High | 8.8 | KEV | 2022-12-05 | Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| 10 | CVE-2022-4135 | Critical | 9.6 | KEV | 2022-11-28 | Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. |
Top 10 highest-EPSS CVEs of 2022
FIRST.org Exploit Prediction Scoring System scores, descending. EPSS estimates the probability a CVE will be exploited in the next 30 days.
| # | CVE | Severity | CVSS | KEV | EPSS | Summary |
|---|---|---|---|---|---|---|
| 1 | CVE-2022-29464 | Critical | 9.8 | KEV | 1.000 | Certain WSO2 products allow unrestricted file upload with resultant remote code execution. |
| 2 | CVE-2022-26134 | Critical | 9.8 | KEV | 1.000 | In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. |
| 3 | CVE-2022-22954 | Critical | 9.8 | KEV | 1.000 | VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. |
| 4 | CVE-2022-44877 | Critical | 9.8 | KEV | 1.000 | login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter. |
| 5 | CVE-2022-40684 | Critical | 9.8 | KEV | 1.000 | An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 an… |
| 6 | CVE-2022-47986 | Critical | 9.8 | KEV | 1.000 | IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. |
| 7 | CVE-2022-41082 | High | 8.0 | KEV | 1.000 | Microsoft Exchange Server Remote Code Execution Vulnerability |
| 8 | CVE-2022-1388 | Critical | 9.8 | KEV | 1.000 | On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authen… |
| 9 | CVE-2022-41040 | High | 8.8 | KEV | 0.999 | Microsoft Exchange Server Elevation of Privilege Vulnerability |
| 10 | CVE-2022-35405 | Critical | 9.8 | KEV | 0.999 | Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. |
Top 10 most PoC-covered CVEs of 2022
Ranked by the count of indexed public proof-of-concept repositories. Higher counts correlate with weaponisation effort.
| # | CVE | Severity | CVSS | KEV | PoCs | Summary |
|---|---|---|---|---|---|---|
| 1 | CVE-2022-0847 | High | 7.8 | KEV | 557 | A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. |
| 2 | CVE-2022-22965 | Critical | 9.8 | KEV | 480 | A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. |
| 3 | CVE-2022-26134 | Critical | 9.8 | KEV | 299 | In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. |
| 4 | CVE-2022-30190 | High | 7.8 | KEV | 267 | A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. |
| 5 | CVE-2022-22947 | Critical | 10.0 | KEV | 244 | In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. |
| 6 | CVE-2022-1388 | Critical | 9.8 | KEV | 220 | On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authen… |
| 7 | CVE-2022-22963 | Critical | 9.8 | KEV | 202 | In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution… |
| 8 | CVE-2022-42889 | Critical | 9.8 | — | 154 | Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. |
| 9 | CVE-2022-22954 | Critical | 9.8 | KEV | 136 | VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. |
| 10 | CVE-2022-29464 | Critical | 9.8 | KEV | 133 | Certain WSO2 products allow unrestricted file upload with resultant remote code execution. |
Top 10 most-vulnerable vendors of 2022
Vendors ranked by distinct CVE count for the year. Counts include every CVE attached to any product the vendor ships in our CPE map.
| # | Vendor | CVE count |
|---|---|---|
| 1 | N/a | 8900 |
| 2 | Linux | 2690 |
| 3 | 1906 | |
| 4 | Microsoft | 1774 |
| 5 | Unknown | 1175 |
| 6 | Apple | 901 |
| 7 | Fedoraproject | 835 |
| 8 | Debian | 800 |
| 9 | Oracle | 506 |
| 10 | Netapp | 428 |
Top 10 most-common CWEs of 2022
CWE classification ids ranked by the count of CVEs published in the year that carry them. Each CVE typically lists 1–3 CWE ids; counts reflect the union of those lists across the year's corpus.
| # | CWE | Name | CVE count |
|---|---|---|---|
| 1 | CWE-79 | Cross-site Scripting | 3052 |
| 2 | CWE-787 | Out-of-bounds Write | 2201 |
| 3 | CWE-89 | SQL Injection | 1661 |
| 4 | CWE-125 | Out-of-bounds Read | 895 |
| 5 | CWE-416 | Use After Free | 879 |
| 6 | CWE-22 | Path Traversal | 736 |
| 7 | CWE-352 | Cross-Site Request Forgery (CSRF) | 734 |
| 8 | CWE-78 | OS Command Injection | 649 |
| 9 | CWE-20 | Improper Input Validation | 646 |
| 10 | CWE-862 | Missing Authorization | 627 |