LiveActive security incident?Get immediate response
CVE archive

2016 CVE Archive

Browse CVE records published in 2016 CVE Archive, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 9355 matching CVEs · Page 3 of 188.

Medium · CVSS 6.1

CVE-2016-20036: Wowza Streaming Engine 4.5.0 Multiple Cross-Site Scripting Vulnerabilities

Wowza Streaming Engine 4.5.0 contains multiple reflected cross-site scripting vulnerabilities in the enginemanager interface where input passed through various parameters is not properly sanitized before being returned to users. Attackers can inject malicious script code through parameters like appName, vhost, uiAppType, and wowzaCloudDestinationType in multiple endpoints to execute arbitrary HTML and JavaScript in a user's browser session.

Published Mar 15, 2026 · Updated Mar 16, 2026

Critical · CVSS 9.8

CVE-2016-20024: ZKTeco ZKTime.Net 3.0.1.6 Insecure File Permissions Privilege Escalation

ZKTeco ZKTime.Net 3.0.1.6 contains an insecure file permissions vulnerability that allows unprivileged users to escalate privileges by modifying executable files. Attackers can exploit world-writable permissions on the ZKTimeNet3.0 directory and its contents to replace executable files with malicious binaries for privilege escalation.

Published Mar 15, 2026 · Updated Mar 16, 2026

High · CVSS 8.8

CVE-2016-20025: ZKTeco ZKAccess Professional 3.5.3 Privilege Escalation via Insecure Permissions

ZKTeco ZKAccess Professional 3.5.3 contains an insecure file permissions vulnerability that allows authenticated users to escalate privileges by modifying executable files. Attackers can leverage the Modify permission granted to the Authenticated Users group to replace executable binaries with malicious code for privilege escalation.

Published Mar 15, 2026 · Updated Mar 16, 2026

Medium · CVSS 6.1

CVE-2016-20027: ZKTeco ZKBioSecurity 3.0 Multiple Reflected XSS Vulnerabilities

ZKTeco ZKBioSecurity 3.0 contains multiple reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary HTML and script code by injecting malicious payloads through unsanitized parameters in multiple scripts. Attackers can craft malicious URLs with XSS payloads in vulnerable parameters to execute scripts in a user's browser session within the context of the affected application.

Published Mar 15, 2026 · Updated Mar 16, 2026

Medium · CVSS 5.3

CVE-2016-20028: ZKTeco ZKBioSecurity 3.0 Cross-Site Request Forgery Superadmin

ZKTeco ZKBioSecurity 3.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious websites. Attackers can craft HTTP requests that add superadmin accounts without validity checks, enabling unauthorized administrative access when authenticated users visit attacker-controlled pages.

Published Mar 15, 2026 · Updated Mar 16, 2026

Medium · CVSS 6.9

CVE-2016-20029: ZKTeco ZKBioSecurity 3.0 File Path Manipulation Vulnerability

ZKTeco ZKBioSecurity 3.0 contains a file path manipulation vulnerability that allows attackers to access arbitrary files by modifying file paths used to retrieve local resources. Attackers can manipulate path parameters to bypass access controls and retrieve sensitive information including configuration files, source code, and protected application resources.

Published Mar 15, 2026 · Updated Mar 16, 2026

Critical · CVSS 9.8

CVE-2016-20030: ZKTeco ZKBioSecurity 3.0 User Enumeration via authLoginAction

ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by submitting partial characters via the username parameter. Attackers can send requests to the authLoginAction!login.do script with varying username inputs to enumerate valid user accounts based on application responses.

Published Mar 15, 2026 · Updated Mar 16, 2026

Medium · CVSS 6.8

CVE-2016-20031: ZKTeco ZKBioSecurity 3.0 Local Authorization Bypass via visLogin.jsp

ZKTeco ZKBioSecurity 3.0 contains a local authorization bypass vulnerability in visLogin.jsp that allows attackers to authenticate without valid credentials by spoofing localhost requests. Attackers can exploit the EnvironmentUtil.getClientIp() method which treats IPv6 loopback address 0:0:0:0:0:0:0:1 as 127.0.0.1 and authenticates using the IP as username with hardcoded password 123456 to access sensitive information and perform unauthorized actions.

Published Mar 15, 2026 · Updated Mar 16, 2026

High · CVSS 7.2

CVE-2016-20032: ZKTeco ZKAccess Security System 5.3.1 Stored XSS

ZKTeco ZKAccess Security System 5.3.1 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads through the 'holiday_name' and 'memo' POST parameters. Attackers can submit crafted requests with script code in these parameters to compromise user browser sessions and steal sensitive information.

Published Mar 15, 2026 · Updated Mar 16, 2026

Critical · CVSS 9.9

CVE-2016-15057: Apache Continuum: Command injection leading to RCE

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Continuum. This issue affects Apache Continuum: all versions. Attackers with access to the installations REST API can use this to invoke arbitrary commands on the server. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Published Jan 26, 2026 · Updated Jan 26, 2026

High · CVSS 7.5 · CISA KEV

CVE-2016-6415: The server IKEv1 implementation in Cisco IOS 12.2 through 12.4 and 15.0 through 15.6, IOS XE through 3.18S,...

The server IKEv1 implementation in Cisco IOS 12.2 through 12.4 and 15.0 through 15.6, IOS XE through 3.18S, IOS XR 4.3.x and 5.0.x through 5.2.x, and PIX before 7.0 allows remote attackers to obtain sensitive information from device memory via a Security Association (SA) negotiation request, aka Bug IDs CSCvb29204 and CSCvb36055 or BENIGNCERTAIN.

Published Sep 19, 2016 · Updated Jan 12, 2026

High · CVSS 8.8 · CISA KEV

CVE-2016-6366: Buffer overflow in Cisco Adaptive Security Appliance (ASA) Software through 9.4.2.3 on ASA 5500, ASA 5500-X...

Buffer overflow in Cisco Adaptive Security Appliance (ASA) Software through 9.4.2.3 on ASA 5500, ASA 5500-X, ASA Services Module, ASA 1000V, ASAv, Firepower 9300 ASA Security Module, PIX, and FWSM devices allows remote authenticated users to execute arbitrary code via crafted IPv4 SNMP packets, aka Bug ID CSCva92151 or EXTRABACON.

Published Aug 18, 2016 · Updated Jan 12, 2026

High · CVSS 8.6

CVE-2016-15046: Hanwha Techwin SSM 1.32 & 1.4 ActiveMQ File Upload RCE

A client-side remote code execution vulnerability exists in Hanwha Techwin Smart Security Manager (SSM) versions 1.32 and 1.4, due to improper restrictions on the PUT method exposed by the bundled Apache ActiveMQ instance (running on port 8161). An attacker can exploit this flaw through a Cross-Origin Resource Sharing (CORS) bypass combined with JavaScript-triggered file uploads to the web server, ultimately resulting in arbitrary code execution with SYSTEM privileges. This vulnerability bypasses the server-side mitigations introduced in ZDI-15-156 and ZDI-16-481 by shifting the exploitation to the client-side. This product is now referred to as Hanwha Wisenet SSM and it is unknown if current versions are affected.

Published Jul 25, 2025 · Updated Nov 21, 2025

Medium · CVSS 5.1

CVE-2016-15049: Nagios Log Server < 1.4.2 Dashboards Logs Table XSS

Nagios Log Server versions prior to 1.4.2 are vulnerable to cross-site scripting (XSS) in the Dashboards section when rendering log entries in the Logs table. Untrusted log content was not safely encoded for the output context, allowing attacker-controlled data present in logs to execute script in the victim’s browser within the application origin.

Published Oct 30, 2025 · Updated Nov 17, 2025

Medium · CVSS 5.1

CVE-2016-15053: Nagios XI < 5.2.4 XSS via “My Reports” Listing

Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the “My Reports” listing of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published Oct 30, 2025 · Updated Nov 17, 2025

Medium · CVSS 5.1

CVE-2016-15052: Nagios XI < 5.2.4 XSS via Menu System

Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the Menu System of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published Oct 30, 2025 · Updated Nov 17, 2025

Medium · CVSS 5.1

CVE-2016-15051: Nagios XI < 5.2.4 XSS via Report startdate/enddate Fields

Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the Reports interface through values from the startdate and enddate fields. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published Oct 30, 2025 · Updated Nov 17, 2025

High · CVSS 8.7

CVE-2016-15050: Nagios XI < 5.2.4 SQL Injection in Notification Search

Nagios XI versions prior to 5.2.4 contain a SQL injection vulnerability in the notification search functionality. User-supplied search parameters were incorporated into SQL statements without adequate parameterization or sanitation, allowing an authenticated user to manipulate database queries. Successful exploitation could disclose or modify notification data and, in some cases, impact the application database more broadly.

Published Oct 30, 2025 · Updated Nov 17, 2025

Unknown · CVSS Not scored

CVE-2016-7420: Crypto++ (aka cryptopp) through 5.6.4 does not document the requirement for a compile-time NDEBUG definitio...

Crypto++ (aka cryptopp) through 5.6.4 does not document the requirement for a compile-time NDEBUG definition disabling the many assert calls that are unintended in production use, which might allow context-dependent attackers to obtain sensitive information by leveraging access to process memory after an assertion failure, as demonstrated by reading a core dump.

Published Sep 16, 2016 · Updated Nov 14, 2025

Critical · CVSS 10

CVE-2016-15048: AMTT HiBOS Command Injection RCE via server_ping.php

AMTT Hotel Broadband Operation System (HiBOS) contains an unauthenticated command injection vulnerability in the /manager/radius/server_ping.php endpoint. The application constructs a shell command that includes the user-supplied ip parameter and executes it without proper validation or escaping. An attacker can insert shell metacharacters into the ip parameter to inject and execute arbitrary system commands as the web server user. The initial third-party disclosure in 2016 recommended contacting the vendor for remediation guidance. Additionally, this product may have been rebranded under a different name. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-14 at 04:45:53.510819 UTC.

Published Oct 22, 2025 · Updated Oct 22, 2025

High · CVSS 8.8 · CISA KEV

CVE-2016-0984: Use-after-free vulnerability in Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.306 on...

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.306 on Windows and OS X and before 11.2.202.569 on Linux, Adobe AIR before 20.0.0.260, Adobe AIR SDK before 20.0.0.260, and Adobe AIR SDK & Compiler before 20.0.0.260 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0973, CVE-2016-0974, CVE-2016-0975, CVE-2016-0982, and CVE-2016-0983.

Published Feb 10, 2016 · Updated Oct 21, 2025

High · CVSS 7.5 · CISA KEV

CVE-2016-0752: Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4...

Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.

Published Feb 16, 2016 · Updated Oct 21, 2025

High · CVSS 7.8 · CISA KEV

CVE-2016-0099: The Secondary Logon Service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 S...

The Secondary Logon Service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 does not properly process request handles, which allows local users to gain privileges via a crafted application, aka "Secondary Logon Elevation of Privilege Vulnerability."

Published Mar 9, 2016 · Updated Oct 21, 2025

High · CVSS 8.8 · CISA KEV

CVE-2016-1010: Integer overflow in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows...

Integer overflow in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0963 and CVE-2016-0993.

Published Mar 12, 2016 · Updated Oct 21, 2025

High · CVSS 8.8 · CISA KEV

CVE-2016-1646: The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0...

The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, does not properly consider element data types, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted JavaScript code.

Published Mar 29, 2016 · Updated Oct 21, 2025

High · CVSS 7.8 · CISA KEV

CVE-2016-0151: The Client-Server Run-time Subsystem (CSRSS) in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Win...

The Client-Server Run-time Subsystem (CSRSS) in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 mismanages process tokens, which allows local users to gain privileges via a crafted application, aka "Windows CSRSS Security Feature Bypass Vulnerability."

Published Apr 12, 2016 · Updated Oct 21, 2025

High · CVSS 7.8 · CISA KEV

CVE-2016-0165: The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, W...

The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-0143 and CVE-2016-0167.

Published Apr 12, 2016 · Updated Oct 21, 2025

High · CVSS 7.8 · CISA KEV

CVE-2016-0167: The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, W...

The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-0143 and CVE-2016-0165.

Published Apr 12, 2016 · Updated Oct 21, 2025