KEV 2013
38 CISA Known Exploited Vulnerabilities from 2013
Critical 8
May 2022
March 2022
Oracle Java SE — 2D Image Processing Integer Overflow Enables Remote Code Execution and Ransomware Delivery
CVSS 9.8Adobe Reader and Acrobat — BMP Image Parsing Integer Overflow Enables Remote Code Execution via Crafted PDF
CVSS 9.8Apache Struts 2 — S2-016 redirectAction Prefix OGNL Injection Enables Unauthenticated Remote Code Execution
CVSS 9.8HP ProCurve Manager — JBoss EJBInvokerServlet and JMXInvokerServlet Unauthenticated Deserialization Enables Remote Code Execution
CVSS 9.8Adobe ColdFusion — Authentication Bypass via RDS Default Configuration Grants Unauthenticated Admin Access
CVSS 9.8Adobe ColdFusion — Incorrect Default Permissions Allow Unauthenticated Access to ColdFusion Administrator
CVSS 9.8Adobe Reader and Acrobat — ToolButton Use-After-Free Memory Corruption Zero-Day Chained with Windows NDProxy LPE in APT Campaigns
CVSS 9.8High 22
October 2025
August 2025
September 2024
Adobe Flash Player — Incorrect Firefox Sandbox Permissions Enable Flash-Based Sandbox Escape in Paired Attack with CVE-2013-0648
CVSS 8.8Adobe Flash Player — ExternalInterface ActionScript Code Execution Chained With CVE-2013-0643 for Full Firefox Sandbox Escape
CVSS 8.8March 2023
September 2022
Linux Kernel — ARM get_user/put_user Missing Address Validation Allows Any Process to Read and Write Kernel Memory
CVSS 8.8Linux Kernel — perf_swevent_enabled Out-of-Bounds Write via Unchecked attr.config for Local Privilege Escalation
CVSS 8.4Code Aurora ACDB — Qualcomm Audio Calibration Driver IOCTL Stack Overflow Enables Kernel Privilege Escalation on Android
CVSS 8.4Linux Kernel — fb_mmap Framebuffer Integer Overflow Maps Physical Memory to Userspace for Android and Linux Privilege Escalation
CVSS 7.8June 2022
May 2022
March 2022
Mozilla Firefox and Thunderbird — XMLHttpRequest onreadystatechange Use-After-Free Enables Remote Code Execution
CVSS 8.8Microsoft Internet Explorer — CParentUndoUnit Use-After-Free Allows Remote Code Execution, Exploited for Ransomware Delivery
CVSS 8.8Microsoft Internet Explorer 8 — CGenericElement Use-After-Free Zero-Day Used to Water-Hole US Department of Labor Website
CVSS 8.8Microsoft Internet Explorer — CDisplayPointer Use-After-Free Zero-Day Exploited in Operation Ephemeral Hydra Water-Hole Attacks
CVSS 8.8Microsoft Win32k — EPATHOBJ Linked List Pointer Flaw Enables Any Local User to Execute Code in Ring 0
CVSS 7.8Adobe Reader and Acrobat — acroform.dll Memory Corruption Zero-Day Chained With CVE-2013-0641 to Escape Sandbox
CVSS 7.8Adobe Reader — Buffer Overflow Used as Second Stage to Escape Reader Protected Mode Sandbox in CVE-2013-0640 Chain
CVSS 7.8Microsoft Windows — NDProxy.sys Improper Input Validation Enables SYSTEM Privilege Escalation, Chained with Adobe Reader Zero-Day in APT Attacks
CVSS 7.8Adobe ColdFusion — Unauthenticated Directory Traversal Exposes Restricted Server Files Including Configuration and Credentials
CVSS 7.5Adobe ColdFusion — Unspecified Information Disclosure from Compromised ColdFusion Server Components
CVSS 7.5February 2022
Medium 7
May 2022
IBM InfoSphere BigInsights — Path Traversal in BigInsights APIs Allows Authenticated Users to Read Arbitrary Files, Exploited for Ransomware Delivery
CVSS 6.5Microsoft Internet Explorer — XMLHTTP Resource Existence Probe Enables Exploit Kits to Detect and Evade Anti-Malware Software
CVSS 6.5Microsoft Silverlight — Unvalidated Element Pointer Leaks Process Memory to Malicious Silverlight Applications
CVSS 5.5Oracle Java SE — JMX MBeanServer Sandbox Bypass Enables Confidentiality Breach via Untrusted Applets
CVSS 5.3March 2022
Mozilla Firefox — nsDOMSVGZoomEvent Uninitialized Memory Leaks Process Data to Attacker-Controlled JavaScript
CVSS 6.5D-Link DSL-2760U — Stored Cross-Site Scripting in DSL Gateway Web Interface Allows Session Hijacking and Configuration Modification
CVSS 5.4