Every CVE whose affected-product data names Ivanti Avalanche, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (117)
CVE-2022-36972 — CVSS 9.8 (critical): This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific…
CVE-2022-36983 — CVSS 9.8 (critical): This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche. Authentication is not…
CVE-2020-12442 — CVSS 9.8 (critical): Ivanti Avalanche 6.3 allows a SQL injection that is vaguely associated with the Apache HTTP Server, aka Bug 683250.
CVE-2023-32560 — CVSS 9.8 (critical): An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary…
CVE-2023-32562 — CVSS 9.8 (critical): An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker…
CVE-2023-32564 — CVSS 9.8 (critical): An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker…
CVE-2023-38036 — CVSS 9.8 (critical): A security vulnerability within Ivanti Avalanche Manager before version 6.4.1 may allow an unauthenticated attacker to create a buffer…
CVE-2024-24996 — CVSS 9.8 (critical): A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to…
CVE-2024-29204 — CVSS 9.8 (critical): A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to…
CVE-2023-41727 — CVSS 9.8 (critical): An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial…
CVE-2023-46216 — CVSS 9.8 (critical): An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial…
CVE-2023-46217 — CVSS 9.8 (critical): An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial…
CVE-2023-46220 — CVSS 9.8 (critical): An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial…
CVE-2023-46221 — CVSS 9.8 (critical): An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial…
CVE-2023-46222 — CVSS 9.8 (critical): An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial…
CVE-2023-46223 — CVSS 9.8 (critical): An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial…
CVE-2023-46224 — CVSS 9.8 (critical): An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial…
CVE-2023-46225 — CVSS 9.8 (critical): An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial…
CVE-2023-46257 — CVSS 9.8 (critical): An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial…
CVE-2023-46258 — CVSS 9.8 (critical): An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial…
CVE-2023-46259 — CVSS 9.8 (critical): An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial…
CVE-2023-46260 — CVSS 9.8 (critical): An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial…
CVE-2023-46261 — CVSS 9.8 (critical): An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial…
CVE-2023-46263 — CVSS 9.8 (critical): An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker…
CVE-2023-46264 — CVSS 9.8 (critical): An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker…
CVE-2023-46265 — CVSS 9.8 (critical): An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF).
CVE-2024-22061 — CVSS 9.8 (critical): A Heap Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to…
CVE-2021-42127 — CVSS 9.8 (critical): A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code…
CVE-2021-42128 — CVSS 9.8 (critical): An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 using inforail Service allows Privilege Escalation via…
CVE-2022-36974 — CVSS 9.8 (critical): This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although…
CVE-2022-36975 — CVSS 9.8 (critical): This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific…
CVE-2022-36976 — CVSS 9.8 (critical): This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific…
CVE-2022-36977 — CVSS 9.8 (critical): This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although…
CVE-2022-36978 — CVSS 9.8 (critical): This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although…
CVE-2022-36979 — CVSS 9.8 (critical): This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although…
CVE-2022-36981 — CVSS 9.8 (critical): This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.3.101. Although…
CVE-2021-22962 — CVSS 9.1 (critical): An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.
CVE-2023-46266 — CVSS 9.1 (critical): An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.
CVE-2024-38652 — CVSS 9.1 (critical): Path traversal in the skin management component of Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to achieve denial of…
CVE-2023-32565 — CVSS 9.1 (critical): An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack…
CVE-2023-32566 — CVSS 9.1 (critical): An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack…
CVE-2021-42126 — CVSS 8.8 (high): An improper authorization control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail…
CVE-2024-27976 — CVSS 8.8 (high): A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute…
CVE-2021-42129 — CVSS 8.8 (high): A command injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform…
CVE-2021-42130 — CVSS 8.8 (high): A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail…
CVE-2021-42131 — CVSS 8.8 (high): A SQL Injection vulnerability exists in Ivanti Avalance before 6.3.3 allows an attacker with access to the Inforail Service to perform…
CVE-2021-42132 — CVSS 8.8 (high): A command Injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform…
CVE-2022-36971 — CVSS 8.8 (high): This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although…
CVE-2022-36973 — CVSS 8.8 (high): This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although…
CVE-2024-27975 — CVSS 8.8 (high): An Use-after-free vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to…
CVE-2024-25000 — CVSS 8.8 (high): A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute…
CVE-2024-24999 — CVSS 8.8 (high): A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute…
CVE-2024-24998 — CVSS 8.8 (high): A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute…
CVE-2024-24997 — CVSS 8.8 (high): A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute…
CVE-2024-24992 — CVSS 8.8 (high): A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute…
CVE-2024-23535 — CVSS 8.8 (high): A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute…
CVE-2024-23534 — CVSS 8.8 (high): An Unrestricted File-upload vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to…
CVE-2021-42124 — CVSS 8.8 (high): An improper access control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to…
CVE-2021-42125 — CVSS 8.8 (high): An unrestricted file upload vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to…
CVE-2024-24994 — CVSS 8.8 (high): A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute…
CVE-2021-42133 — CVSS 8.1 (high): An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service…
CVE-2024-27977 — CVSS 8.1 (high): A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete arbitrary…
CVE-2022-36980 — CVSS 8.1 (high): This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although…
CVE-2022-43554 — CVSS 7.8 (high): Ivanti Avalanche Smart Device Service Missing Authentication Local Privilege Escalation Vulnerability
CVE-2018-8901 — CVSS 7.8 (high): An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2. A local user with database access privileges can read the…
CVE-2022-43555 — CVSS 7.8 (high): Ivanti Avalanche Printer Device Service Missing Authentication Local Privilege Escalation Vulnerability
CVE-2023-41725 — CVSS 7.8 (high): Ivanti Avalanche EnterpriseServer Service Unrestricted File Upload Local Privilege Escalation Vulnerability
CVE-2024-38653 — CVSS 7.5 (high): XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.
CVE-2024-37399 — CVSS 7.5 (high): A NULL pointer dereference in WLAvalancheService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service…
CVE-2024-23526 — CVSS 7.5 (high): An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an…
CVE-2024-23527 — CVSS 7.5 (high): An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an…
CVE-2024-23528 — CVSS 7.5 (high): An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an…
CVE-2024-23529 — CVSS 7.5 (high): An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an…
CVE-2024-23530 — CVSS 7.5 (high): An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an…
CVE-2024-23531 — CVSS 7.5 (high): An Integer Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker…
CVE-2024-23532 — CVSS 7.5 (high): An out-of-bounds Read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote…
CVE-2024-50331 — CVSS 7.5 (high): An out-of-bounds read vulnerability in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to leak sensitive information…
CVE-2024-13180 — CVSS 7.5 (high): Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. This CVE…
CVE-2023-46804 — CVSS 7.5 (high): An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial…
CVE-2024-50321 — CVSS 7.5 (high): An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
CVE-2023-46803 — CVSS 7.5 (high): An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial…
CVE-2024-24993 — CVSS 7.5 (high): A Race Condition (TOCTOU) vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute…
CVE-2023-46262 — CVSS 7.5 (high): An unauthenticated attacked could send a specifically crafted web request causing a Server-Side Request Forgery (SSRF) in Ivanti Avalanche…
CVE-2024-24995 — CVSS 7.5 (high): A Race Condition (TOCTOU) vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute…
CVE-2024-50320 — CVSS 7.5 (high): An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
CVE-2023-32561 — CVSS 7.5 (high): A previously generated artifact by an administrator could be accessed by an attacker. The contents of this artifact could lead to…
CVE-2024-50319 — CVSS 7.5 (high): An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
CVE-2023-28127 — CVSS 7.5 (high): A path traversal vulnerability exists in Avalanche version 6.3.x and below that when exploited could result in possible information…
CVE-2024-50318 — CVSS 7.5 (high): A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
CVE-2024-50317 — CVSS 7.5 (high): A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
CVE-2022-44574 — CVSS 7.5 (high): An improper authentication vulnerability exists in Avalanche version 6.3.x and below allows unauthenticated attacker to modify properties…
CVE-2022-36982 — CVSS 7.5 (high): This vulnerability allows remote attackers to read arbitrary files on affected installations of Ivanti Avalanche 6.3.3.101. Although…
CVE-2024-47011 — CVSS 7.5 (high): Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information
CVE-2024-47008 — CVSS 7.5 (high): Server-side request forgery in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information.
CVE-2021-30497 — CVSS 7.5 (high): Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. The imageFilePath…
CVE-2024-47007 — CVSS 7.5 (high): A NULL pointer dereference in WLAvalancheService.exe of Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to…
CVE-2024-36136 — CVSS 7.5 (high): An off-by-one error in WLInfoRailService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting…
CVE-2024-47009 — CVSS 7.3 (high): Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.
CVE-2024-13179 — CVSS 7.3 (high): Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication.
CVE-2024-13181 — CVSS 7.3 (high): Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication. This CVE…
CVE-2024-47010 — CVSS 7.3 (high): Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.
CVE-2024-29848 — CVSS 7.2 (high): An unrestricted file upload vulnerability in web component of Ivanti Avalanche before 6.4.x allows an authenticated, privileged user to…
CVE-2025-8296 — CVSS 7.2 (high): SQL injection in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to execute…
CVE-2025-8297 — CVSS 7.2 (high): Incomplete restriction of configuration in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin…
CVE-2023-28128 — CVSS 7.2 (high): An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker…
CVE-2024-37373 — CVSS 7.2 (high): Improper input validation in the Central Filestore in Ivanti Avalanche 6.3.1 allows a remote authenticated attacker with admin rights to…
CVE-2024-27984 — CVSS 7.1 (high): A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete specific…
CVE-2018-8902 — CVSS 6.5 (medium): An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2. The impacted products used a single shared key encryption…
CVE-2023-41474 — CVSS 6.5 (medium): Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153 allows a remote authenticated attacker to obtain sensitive information via…
CVE-2024-27978 — CVSS 6.5 (medium): A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote…
CVE-2024-24991 — CVSS 6.5 (medium): A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote…
CVE-2024-23533 — CVSS 6.5 (medium): An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an…
CVE-2023-28126 — CVSS 5.9 (medium): An authentication bypass vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to gain access by…
CVE-2023-28125 — CVSS 5.9 (medium): An improper authentication vulnerability exists in Avalanche Premise versions 6.3.x and below that could allow an attacker to gain access…