cleo CVE Vulnerabilities & Metrics

About cleo Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with cleo. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Critical cleo CVEs (CVSS ≥ 9) Over 20 Years

Top 5 Highest CVSS cleo CVEs

These are the five CVEs with the highest CVSS scores for cleo, sorted by severity first and recency.

• CVE-2021-33576 cleo Published on 18 Jun 2021, 11:15 UTC (CVSS: 7.5)
  An issue was discovered in Cleo LexiCom 5.5.0.0. Within the AS2 message, the sender can specify a filename. This filename can include path-traversal characters, allowing the file to be written to an arbitrary location on disk.
• CVE-2021-33577 cleo Published on 18 Jun 2021, 11:15 UTC (CVSS: 5.0)
  An issue was discovered in Cleo LexiCom 5.5.0.0. The requirement for the sender of an AS2 message to identify themselves (via encryption and signing of the message) can be bypassed by changing the Content-Type of the message to text/plain.
• CVE-2024-55956 cleo Published on 13 Dec 2024, 21:15 UTC (CVSS: 0)
  In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.
• CVE-2024-50623 cleo Published on 28 Oct 2024, 00:15 UTC (CVSS: 0)
  In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.

All CVEs for cleo