Login Sign Up

CWE-494: CWE-494

72
Total CVEs
16
Critical
46
High
7.8
Avg CVSS
1
In CISA KEV

Yearly Trend

2026
9
2025
25
2024
11
2023
13
2022
4

Top Affected Vendors

1 Microsoft 5
2 Buildroot 4
3 Huawei 4
4 Sound4 3
5 Phoenixcontact 2
6 Gradle 2
7 Electra Air 2
8 Netgear 1
9 Luckyframe 1
10 Jenkins 1

All CWE-494 CVEs (72)

CVE-2020-1595
9.9

CVE-2020-1595 is a critical remote code execution vulnerability in Microsoft SharePoint where improperly protected APIs allow attackers to execute arb...

Sep 11, 2020
CVE-2020-1210
9.9

This is a critical remote code execution vulnerability in Microsoft SharePoint that allows attackers to run arbitrary code by uploading a specially cr...

Sep 11, 2020
CVE-2026-2999
9.8

CVE-2026-2999 is a critical remote code execution vulnerability in IDExpert Windows Logon Agent that allows unauthenticated attackers to force the sys...

Mar 2, 2026
CVE-2026-27180
9.8

CVE-2026-27180 allows unauthenticated attackers to execute arbitrary code on MajorDoMo systems by poisoning the update URL. Attackers can deploy websh...

Feb 18, 2026
CVE-2025-40604
9.8

This critical vulnerability in SonicWall Email Security appliances allows attackers with access to virtual machine disk files or datastores to modify ...

Nov 20, 2025
CVE-2025-56513
9.8

NiceHash QuickMiner 6.12.0 performs software updates over unencrypted HTTP without digital signature validation or hash checks. This allows attackers ...

Sep 30, 2025
CVE-2025-34212
9.8

This CVE describes a supply chain vulnerability in Vasion Print (formerly PrinterLogic) build pipeline that allows attackers to compromise the CI/CD s...

Sep 29, 2025
CVE-2025-28236
9.8

This vulnerability allows remote attackers to execute arbitrary code on Nautel VX Series transmitters by uploading a malicious firmware update package...

Apr 18, 2025
CVE-2024-27438
9.8

This vulnerability in Apache Doris allows authenticated users with JDBC catalog creation privileges to upload and execute arbitrary Java code via mali...

Mar 21, 2024
CVE-2023-27574
9.8

ShadowsocksX-NG 1.10.0 contains a vulnerability where the application is signed with com.apple.security.get-task-allow entitlements due to CODE_SIGNIN...

Mar 3, 2023
CVE-2020-2320
9.8

CVE-2020-2320 is a critical vulnerability in Jenkins Plugin Installation Manager Tool 2.1.3 and earlier that fails to verify plugin downloads, allowin...

Dec 3, 2020
CVE-2020-28332
9.8

This vulnerability allows attackers to install malicious firmware on Barco wePresent WiPG-1600W devices by bypassing signature verification. Organizat...

Nov 24, 2020
CVE-2024-28878
9.6

The IO-1020 Micro ELD device downloads and executes code from adjacent network locations without proper verification, allowing attackers to run arbitr...

Apr 12, 2024
CVE-2025-27593
9.3

CVE-2025-27593 allows attackers to distribute malicious code via SDD Device Drivers due to missing download verification checks, leading to remote cod...

Mar 14, 2025
CVE-2024-48974
9.3

This vulnerability allows attackers to push malicious firmware updates to ventilators without proper integrity checks, potentially compromising device...

Nov 14, 2024
CVE-2025-14265
9.1

This vulnerability allows authorized or administrative users to install and execute untrusted extensions on ScreenConnect servers, potentially leading...

Dec 11, 2025
CVE-2025-63434
8.8

This vulnerability allows remote code execution on Android devices running Xtooltech Xtool AnyScan app versions 4.40.40 and earlier. An attacker who c...

Nov 24, 2025
CVE-2025-57431
8.8

The Sound4 PULSE-ECO AES67 1.22 web management interface has a critical vulnerability that allows remote attackers to execute arbitrary code by upload...

Sep 22, 2025
CVE-2025-53520
8.8

This vulnerability allows attackers to install malicious firmware on EG4 devices by exploiting the lack of integrity checks during firmware updates. A...

Aug 8, 2025
CVE-2024-43169
8.8

IBM Engineering Requirements Management DOORS Next versions 7.0.2, 7.0.3, and 7.1 contain a vulnerability that allows users to download malicious file...

Mar 3, 2025
CVE-2023-47353
8.8

This vulnerability in IMOU GO app allows attackers to force the download of arbitrary files through the DownloadFirmwareService component. Attackers c...

Feb 6, 2024
CVE-2022-28944
8.8

This vulnerability allows remote code execution in multiple EMCO Software products when users trigger software updates. Attackers can exploit the upda...

May 23, 2022
CVE-2022-24644
8.8

CVE-2022-24644 is a remote code execution vulnerability in ZZ Inc. KeyMouse software that allows attackers to execute arbitrary code during unauthenti...

Mar 10, 2022
CVE-2020-7873
8.8

This vulnerability in Younglimwon Co., Ltd's ActiveX control allows attackers to download and execute arbitrary files without integrity verification. ...

Sep 9, 2021
CVE-2020-1452
8.6

This is a remote code execution vulnerability in Microsoft SharePoint that allows attackers to run arbitrary code by uploading a specially crafted app...

Sep 11, 2020
CVE-2020-1200
8.6

This is a remote code execution vulnerability in Microsoft SharePoint that allows attackers to run arbitrary code by uploading a specially crafted app...

Sep 11, 2020
CVE-2020-1576
8.5

This is a remote code execution vulnerability in Microsoft SharePoint that allows attackers to run arbitrary code by uploading specially crafted appli...

Sep 11, 2020
CVE-2024-52583
8.2

The WesHacks website before November 17, 2024 contained malicious JavaScript injection through external links to 'Leostop', a potentially malicious si...

Nov 18, 2024
CVE-2025-1058
8.1

This vulnerability allows attackers to upload malicious firmware to affected Schneider Electric devices without integrity verification, potentially re...

Feb 13, 2025
CVE-2024-45321
8.1

CVE-2024-45321 is a vulnerability in App::cpanminus (cpanm) where the package downloads Perl modules over insecure HTTP connections instead of HTTPS. ...

Aug 27, 2024
CVE-2024-28850
8.1

WP Crontrol plugin for WordPress has a potential remote code execution vulnerability through vulnerability chaining. The plugin's PHP cron event featu...

Mar 25, 2024
CVE-2023-45838
8.1

This CVE describes multiple data integrity vulnerabilities in Buildroot's package hash checking functionality that allow man-in-the-middle attackers t...

Dec 5, 2023
CVE-2023-45840
8.1

This vulnerability allows attackers to execute arbitrary commands on Buildroot systems through man-in-the-middle attacks targeting package downloads. ...

Dec 5, 2023
CVE-2023-45842
8.1

This CVE describes data integrity vulnerabilities in Buildroot's package hash checking functionality that allow man-in-the-middle attackers to execute...

Dec 5, 2023
CVE-2023-43608
8.1

A data integrity vulnerability in Buildroot's BR_NO_CHECK_HASH_FOR functionality allows man-in-the-middle attackers to bypass hash verification during...

Dec 5, 2023
CVE-2021-33879
8.1

This vulnerability allows attackers to perform man-in-the-middle attacks against Tencent GameLoop's update mechanism. By intercepting insecure HTTP co...

Jun 6, 2021
CVE-2025-52263
8.0

This vulnerability allows authenticated attackers on the same network to upload malicious firmware to Startcharge Artemis AC Chargers, enabling them t...

Oct 27, 2025
CVE-2025-61228
7.8

A local privilege escalation vulnerability in Shirt Pocket SuperDuper! backup software allows attackers to execute arbitrary code through the software...

Dec 1, 2025
CVE-2021-41714
7.7

CVE-2021-41714 is a path traversal vulnerability in Tipask Q&A software that allows authenticated users to download arbitrary files from the server by...

May 23, 2022
CVE-2025-15556
KEV 7.5

This vulnerability allows attackers to intercept Notepad++ update traffic and replace legitimate updates with malicious installers. When users update ...

Feb 3, 2026
CVE-2025-69263
7.5

This CVE allows attackers to serve malicious code through HTTP tarball dependencies in pnpm packages. The lockfile fails to provide integrity verifica...

Jan 7, 2026
CVE-2025-9319
7.5

This vulnerability in the Lenovo Wallpaper Client could allow attackers to execute arbitrary code on affected systems by exploiting improper download ...

Sep 11, 2025
CVE-2024-39348
7.5

This vulnerability allows man-in-the-middle attackers to execute arbitrary code on Synology routers by exploiting AirPrint functionality that download...

Jun 28, 2024
CVE-2024-33118
7.5

LuckyFrameWeb v3.5.2 contains an arbitrary file read vulnerability in the fileDownload method of CommonController. This allows attackers to read sensi...

May 6, 2024
CVE-2023-5592
7.5

CVE-2023-5592 is a critical vulnerability in PHOENIX CONTACT industrial automation software that allows unauthenticated remote attackers to download a...

Dec 14, 2023
CVE-2023-46143
7.5

CVE-2023-46143 is a critical vulnerability in PHOENIX CONTACT classic line PLCs that allows unauthenticated remote attackers to download and modify ap...

Dec 14, 2023
CVE-2023-24500
7.5

An adjacent attacker can upload unauthorized firmware to Electra Central AC units, potentially gaining control over the device. This affects Electra C...

Apr 17, 2023
CVE-2023-24503
7.5

CVE-2023-24503 is a firmware validation vulnerability in Electra Central AC units that allows an adjacent attacker to upload and install unauthorized ...

Apr 17, 2023
CVE-2022-22786
7.5

This vulnerability allows attackers to trick users into downgrading their Zoom client to a less secure version by exploiting improper version checking...

May 18, 2022
CVE-2020-7875
7.5

CVE-2020-7875 is a remote code execution vulnerability in DEXT5 Upload's ActiveX module that allows attackers to download and execute arbitrary files ...

Oct 28, 2021

About CWE-494 (CWE-494)

Our database tracks 72 CVEs classified as CWE-494, with 16 rated critical and 46 rated high severity. The average CVSS score for CWE-494 vulnerabilities is 7.8.

External reference: View CWE-494 on MITRE CWE →

Monitor CWE-494 Vulnerabilities

Get alerted when new CWE-494 CVEs affect your infrastructure.

Start Monitoring Free