LiveActive security incident?Get immediate response
CVE archive

November 2016

Browse CVE records published in November 2016, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 409 matching CVEs · Page 1 of 9.

High · CVSS 8.7

CVE-2016-15056: Ubee EVW3226 Unauthenticated Backup File Disclosure

Ubee EVW3226 cable modem/routers firmware versions up to and including 1.0.20 store configuration backup files in the web root after they are generated for download. These backup files remain accessible without authentication until the next reboot. A remote attacker on the local network can request 'Configuration_file.cfg' directly to obtain the backup archive. Because backup files are not encrypted, they expose sensitive information including the plaintext admin password, allowing full compromise of the device.

Published Nov 14, 2025 · Updated Apr 7, 2026

High · CVSS 8.7

CVE-2016-15055: JVC VN-T IP-Camera Directory Traversal via check.cgi

JVC VN-T IP-camera models firmware versions up to 2016-08-22 (confirmed on the VN-T216VPRU model) contain a directory traversal vulnerability in the checkcgi endpoint that accepts a user-controlled file parameter. An unauthenticated remote attacker can leverage this vulnerability to read arbitrary files on the device.

Published Nov 12, 2025 · Updated Apr 7, 2026

High · CVSS 8.8 · CISA KEV

CVE-2016-7200: The Chakra JavaScript scripting engine in Microsoft Edge allows remote attackers to execute arbitrary code...

The Chakra JavaScript scripting engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-7201, CVE-2016-7202, CVE-2016-7203, CVE-2016-7208, CVE-2016-7240, CVE-2016-7242, and CVE-2016-7243.

Published Nov 10, 2016 · Updated Oct 21, 2025

High · CVSS 8.8 · CISA KEV

CVE-2016-7201: The Chakra JavaScript scripting engine in Microsoft Edge allows remote attackers to execute arbitrary code...

The Chakra JavaScript scripting engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-7200, CVE-2016-7202, CVE-2016-7203, CVE-2016-7208, CVE-2016-7240, CVE-2016-7242, and CVE-2016-7243.

Published Nov 10, 2016 · Updated Oct 21, 2025

High · CVSS 7.8 · CISA KEV

CVE-2016-7255: The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1,...

The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."

Published Nov 10, 2016 · Updated Oct 21, 2025

High · CVSS 8.8 · CISA KEV

CVE-2016-7256: atmfd.dll in the Windows font library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, W...

atmfd.dll in the Windows font library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allows remote attackers to execute arbitrary code via a crafted web site, aka "Open Type Font Remote Code Execution Vulnerability."

Published Nov 10, 2016 · Updated Oct 21, 2025

High · CVSS 7.5 · CISA KEV

CVE-2016-8562: A vulnerability has been identified in SIMATIC CP 1543-1 (All versions < V2.0.28), SIPLUS NET CP 1543-1 (Al...

A vulnerability has been identified in SIMATIC CP 1543-1 (All versions < V2.0.28), SIPLUS NET CP 1543-1 (All versions < V2.0.28). Under special conditions it was possible to write SNMP variables on port 161/udp which should be read-only and should only be configured with TIA-Portal. A write to these variables could reduce the availability or cause a denial-of-service.

Published Nov 18, 2016 · Updated Oct 21, 2025

High · CVSS 7.8

CVE-2016-10408: Improper Access Control in Core.

QSEE will randomly experience a fatal error during execution due to speculative instruction fetches from device memory. Device memory is not valid executable memory.

Published Nov 26, 2024 · Updated Nov 26, 2024

Unknown · CVSS Not scored

CVE-2016-6803: An installer defect known as an "unquoted Windows search path vulnerability" affected the Apache OpenOffice...

An installer defect known as an "unquoted Windows search path vulnerability" affected the Apache OpenOffice before 4.1.3 installers for Windows. The PC must have previously been infected by a Trojan Horse application (or user) running with administrative privilege. Any installer with the unquoted search path vulnerability becomes a delayed trigger for the exploit.

Published Nov 13, 2017 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2016-6804: The Apache OpenOffice installer (versions prior to 4.1.3, including some branded as OpenOffice.org) for Win...

The Apache OpenOffice installer (versions prior to 4.1.3, including some branded as OpenOffice.org) for Windows contains a defective operation that allows execution of arbitrary code with elevated privileges. This requires that the location in which the installer is run has been previously poisoned by a file that impersonates a dynamic-link library that the installer depends upon.

Published Nov 20, 2017 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2016-10700: auth_login.php in Cacti before 1.0.0 allows remote authenticated users who use web authentication to bypass...

auth_login.php in Cacti before 1.0.0 allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database, because the guest user is not considered. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-2313.

Published Nov 24, 2017 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2016-9644: The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the Linux kernel 4.4.22 through 4.4.28 con...

The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the Linux kernel 4.4.22 through 4.4.28 contains extended asm statements that are incompatible with the exception table, which allows local users to obtain root access on non-SMEP platforms via a crafted application. NOTE: this vulnerability exists because of incorrect backporting of the CVE-2016-9178 patch to older kernels.

Published Nov 28, 2016 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2016-9567: The mDNIe system service on Samsung Mobile S7 devices with M(6.0) software does not properly restrict setmD...

The mDNIe system service on Samsung Mobile S7 devices with M(6.0) software does not properly restrict setmDNIeScreenCurtain API calls, enabling attackers to control a device's screen. This can be exploited via a crafted application to eavesdrop after phone shutdown or record a conversation. The Samsung ID is SVE-2016-6343.

Published Nov 23, 2016 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2016-9313: security/keys/big_key.c in the Linux kernel before 4.8.7 mishandles unsuccessful crypto registration in con...

security/keys/big_key.c in the Linux kernel before 4.8.7 mishandles unsuccessful crypto registration in conjunction with successful key-type registration, which allows local users to cause a denial of service (NULL pointer dereference and panic) or possibly have unspecified other impact via a crafted application that uses the big_key data type.

Published Nov 28, 2016 · Updated Aug 6, 2024