Foreman vulnerabilities: known CVEs & security history
The Foreman · Infra / Lifecycle · 70 tracked CVEs · 0 actively exploited · updated June 2026 · what is a CVE? →
This is the full list of known vulnerabilities (CVEs) across all Foreman release lines — 70 in total. A CVE here doesn't mean your version is affected — check Foreman's current status and the safe version to run.
Known Foreman CVEs
Actively-exploited and most-severe first. Open any CVE for full details.
| CVE | Severity | CVSS | EPSS | Year |
|---|---|---|---|---|
| CVE-2018-14643 | critical | 9.8 | 6% | 2018 |
| CVE-2023-0118 | critical | 9.1 | 1% | 2023 |
| CVE-2021-3590 | high | 8.8 | 1% | 2022 |
| CVE-2018-1097 | high | 8.8 | 2% | 2018 |
| CVE-2017-7505 | high | 8.8 | 2% | 2017 |
| CVE-2016-4475 | high | 8.8 | 3% | 2016 |
| CVE-2016-3728 | high | 8.8 | 3% | 2016 |
| CVE-2015-5246 | high | 8.1 | 1% | 2017 |
| CVE-2015-5152 | high | 8.1 | 2% | 2017 |
| CVE-2022-3874 | high | 8 | 2% | 2023 |
| CVE-2023-0462 | high | 8 | 1% | 2023 |
| CVE-2021-20260 | high | 7.8 | 0% | 2022 |
| CVE-2018-16861 | high | 7.6 | 1% | 2018 |
| CVE-2014-3691 | high | 7.5 | 2% | 2015 |
| CVE-2014-0007 | high | 7.5 | 9% | 2014 |
| CVE-2013-0210 | high | 7.5 | 2% | 2014 |
| CVE-2013-0171 | high | 7.5 | 3% | 2014 |
| CVE-2012-5648 | high | 7.5 | 2% | 2014 |
| CVE-2013-4386 | high | 7.5 | 1% | 2013 |
| CVE-2013-4182 | high | 7.5 | 2% | 2013 |
| CVE-2014-8183 | high | 7.4 | 1% | 2019 |
| CVE-2021-3584 | high | 7.2 | 4% | 2021 |
| CVE-2014-0090 | medium | 6.8 | 1% | 2014 |
| CVE-2023-4886 | medium | 6.7 | 0% | 2023 |
| CVE-2024-7700 | medium | 6.5 | 1% | 2024 |
| CVE-2017-2672 | medium | 6.5 | 1% | 2018 |
| CVE-2018-1096 | medium | 6.5 | 1% | 2018 |
| CVE-2013-0187 | medium | 6.5 | 1% | 2014 |
| CVE-2016-8613 | medium | 6.4 | 2% | 2018 |
| CVE-2014-4507 | medium | 6.4 | 2% | 2014 |
| CVE-2016-8639 | medium | 6.1 | 1% | 2018 |
| CVE-2016-8634 | medium | 6.1 | 1% | 2018 |
| CVE-2017-7535 | medium | 6.1 | 1% | 2018 |
| CVE-2017-15100 | medium | 6.1 | 1% | 2017 |
| CVE-2015-5282 | medium | 6.1 | 1% | 2017 |
| CVE-2016-6319 | medium | 6.1 | 2% | 2016 |
| CVE-2015-3235 | medium | 6 | 2% | 2015 |
| CVE-2013-2121 | medium | 6 | 25% | 2013 |
| CVE-2013-2113 | medium | 6 | 21% | 2013 |
| CVE-2021-3494 | medium | 5.9 | 0% | 2021 |
| CVE-2021-3469 | medium | 5.4 | 0% | 2021 |
| CVE-2018-14664 | medium | 5.4 | 1% | 2018 |
| CVE-2014-3531 | medium | 5.4 | 1% | 2017 |
| CVE-2014-0208 | medium | 5.4 | 1% | 2017 |
| CVE-2016-6320 | medium | 5.4 | 1% | 2016 |
| CVE-2016-2100 | medium | 5.4 | 1% | 2016 |
| CVE-2014-0091 | medium | 5.3 | 2% | 2019 |
| CVE-2016-5390 | medium | 5.3 | 1% | 2016 |
| CVE-2016-4995 | medium | 5.3 | 1% | 2016 |
| CVE-2025-9572 | medium | 5 | 0% | 2026 |
| CVE-2016-4451 | medium | 5 | 1% | 2016 |
| CVE-2015-3155 | medium | 5 | 2% | 2015 |
| CVE-2015-1816 | medium | 5 | 1% | 2015 |
| CVE-2014-0192 | medium | 5 | 2% | 2014 |
| CVE-2013-0174 | medium | 5 | 2% | 2014 |
| CVE-2013-0173 | medium | 5 | 1% | 2014 |
| CVE-2013-4180 | medium | 5 | 2% | 2013 |
| CVE-2019-3893 | medium | 4.9 | 2% | 2019 |
| CVE-2016-9593 | medium | 4.7 | 1% | 2018 |
| CVE-2020-10710 | medium | 4.4 | 0% | 2022 |
| CVE-2016-7078 | medium | 4.3 | 1% | 2018 |
| CVE-2016-7077 | medium | 4.3 | 1% | 2018 |
| CVE-2015-7518 | medium | 4.3 | 2% | 2015 |
| CVE-2014-3653 | medium | 4.3 | 2% | 2015 |
| CVE-2014-3492 | medium | 4.3 | 1% | 2014 |
| CVE-2014-3491 | medium | 4.3 | 1% | 2014 |
| CVE-2014-0089 | medium | 4.3 | 2% | 2014 |
| CVE-2015-5233 | medium | 4.2 | 1% | 2016 |
| CVE-2015-1844 | medium | 4 | 2% | 2015 |
| CVE-2012-5477 | low | 3.6 | 0% | 2014 |
Is my Foreman version affected?
The list above spans every release. To know whether your version is affected — and the minimum safe version to upgrade to — check it directly.
Check your Foreman version → · Monitor Foreman for new CVEs →
Foreman vulnerabilities — frequently asked
How many known vulnerabilities does Foreman have?
IsItPatched tracks 70 CVEs for Foreman. 2 are critical-severity and 20 high-severity. These span every release line — what matters is whether the version you run is affected.
Does Foreman have any actively-exploited vulnerabilities?
None of Foreman's tracked CVEs are currently in CISA's KEV catalog — but new ones can be added at any time, so keep your version current.
What is the most severe Foreman vulnerability?
Among tracked issues, CVE-2018-14643 (CRITICAL, CVSS 9.8) ranks highest — a CWE-592 weakness.
Is Foreman safe to use?
It depends on the version. The latest supported Foreman release (3.18.1) clears the known issues; older versions may still be affected. Check the exact version you run for a verdict.
CVE data aggregated from NVD, CISA KEV and EPSS (FIRST.org). Related: Foreman security status · Foreman end-of-life · actively-exploited CVEs. Always verify against The Foreman's advisories — see our disclaimer.