Top 10 CVEs of 2023

2023

Six data-derived top-10 lists for CVEs published or KEV-added in 2023. No editorial scoring; everything below is computed directly from the ingested corpus.

Top 10 most severe CVEs of 2023

Ranked by CVSS v3 base score, descending. Ties broken by KEV status, then EPSS score, then publish date.

#CVESeverityCVSSKEVSummary
1CVE-2023-46604Critical10.0KEVThe Java OpenWire protocol marshaller is vulnerable to Remote Code Execution.
2CVE-2023-20198Critical10.0KEVCisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software.
3CVE-2023-7028Critical10.0KEVAn issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which…
4CVE-2023-40044Critical10.0KEVIn WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.
5CVE-2023-49103Critical10.0KEVAn issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1.
6CVE-2023-41892Critical10.0Craft CMS is a platform for creating digital experiences.
7CVE-2023-46731Critical10.0XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.
8CVE-2023-26477Critical10.0XWiki Platform is a generic wiki platform.
9CVE-2023-27482Critical10.0homeassistant is an open source home automation tool.
10CVE-2023-2825Critical10.0An issue has been discovered in GitLab CE/EE affecting only version 16.0.0.

Top 10 actively exploited CVEs of 2023

CVEs added to the CISA Known Exploited Vulnerabilities catalog during the year, newest first. Empty for pre-2021 years.

#CVESeverityCVSSKEVAddedSummary
1CVE-2023-47565High8.0KEV2023-12-21An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x.
2CVE-2023-49897High8.8KEV2023-12-21An OS command injection vulnerability exists in AE1021PE firmware version 2.0.9 and earlier and AE1021 firmware version 2.0.9 and earlier.
3CVE-2023-6448Critical9.8KEV2023-12-11Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HMIs, uses a default administrative password.
4CVE-2023-41266High8.2KEV2023-12-07A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an unau…
5CVE-2023-41265Critical9.6KEV2023-12-07An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allow…
6CVE-2023-33107High8.4KEV2023-12-05Memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call.
7CVE-2023-33106High8.4KEV2023-12-05Memory corruption while submitting a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND.
8CVE-2023-33063High7.8KEV2023-12-05Memory corruption in DSP Services during a remote call from HLOS to DSP.
9CVE-2022-22071High8.4KEV2023-12-05Possible use after free when process shell memory is freed using IOCTL munmap call and process initialization is in progress in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IO…
10CVE-2023-42917High8.8KEV2023-12-04A memory corruption vulnerability was addressed with improved locking.

Top 10 highest-EPSS CVEs of 2023

FIRST.org Exploit Prediction Scoring System scores, descending. EPSS estimates the probability a CVE will be exploited in the next 30 days.

#CVESeverityCVSSKEVEPSSSummary
1CVE-2023-22518Critical9.8KEV1.000All versions of Confluence Data Center and Server are affected by this unexploited vulnerability.
2CVE-2023-44487High7.5KEV1.000The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
3CVE-2023-35082Critical9.8KEV1.000An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, allows unauthorized users to access restricted functionality or resources of the application without proper authentication.
4CVE-2023-0669High7.2KEV1.000Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object.
5CVE-2023-35078Critical9.8KEV1.000An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without proper authentication.
6CVE-2023-4966Critical9.4KEV1.000Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA  virtual server.
7CVE-2023-27350Critical9.8KEV1.000This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914).
8CVE-2023-1671Critical9.8KEV1.000A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.
9CVE-2023-1389High8.8KEV1.000TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface.
10CVE-2023-32315High8.6KEV1.000Openfire is an XMPP server licensed under the Open Source Apache License.

Top 10 most PoC-covered CVEs of 2023

Ranked by the count of indexed public proof-of-concept repositories. Higher counts correlate with weaponisation effort.

#CVESeverityCVSSKEVPoCsSummary
1CVE-2023-23752Medium5.3KEV195An issue was discovered in Joomla!
2CVE-2023-1234Medium4.3189Inappropriate implementation in Intents in Google Chrome on Android prior to 111.0.5563.64 allowed a remote attacker to perform domain spoofing via a crafted HTML page.
3CVE-2023-38831High7.8KEV167RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive.
4CVE-2023-44487High7.5KEV141The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
5CVE-2023-22515Critical9.8KEV136Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauth…
6CVE-2023-23397Critical9.8KEV127Microsoft Outlook Elevation of Privilege Vulnerability
7CVE-2023-7028Critical10.0KEV126An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which…
8CVE-2023-0001Medium6.0116An information exposure vulnerability in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local system administrator to disclose the admin password for the agent in cleartext, which bad actors can then use to execute pri…
9CVE-2023-20198Critical10.0KEV109Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software.
10CVE-2023-46604Critical10.0KEV106The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution.

Top 10 most-vulnerable vendors of 2023

Vendors ranked by distinct CVE count for the year. Counts include every CVE attached to any product the vendor ships in our CPE map.

#VendorCVE count
1N/a7175
2Linux2212
3Microsoft1836
4Google1546
5Apple982
6Unknown827
7Adobe633
8Fedoraproject566
9Ibm529
10Debian523

Top 10 most-common CWEs of 2023

CWE classification ids ranked by the count of CVEs published in the year that carry them. Each CVE typically lists 1–3 CWE ids; counts reflect the union of those lists across the year's corpus.

#CWENameCVE count
1CWE-79Cross-site Scripting4711
2CWE-787Out-of-bounds Write2101
3CWE-89SQL Injection1861
4CWE-862Missing Authorization1228
5CWE-352Cross-Site Request Forgery (CSRF)1184
6CWE-125Out-of-bounds Read1012
7CWE-416Use After Free809
8CWE-20Improper Input Validation796
9CWE-22Path Traversal781
10CWE-78OS Command Injection617