Skip to main content
CVE-2021-3156 HIGH POC KEV PATCH THREAT Act Now

Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Buffer Overflow Privilege Escalation Sudo Fedora Debian Linux +21
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
99.3%
CVE-2021-3304 CRITICAL POC Act Now

Sagemcom F@ST 3686 v2 3.495 devices have a buffer overflow via a long sessionKey to the goform/login URI. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow F St 3686 Firmware
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2021-3278 CRITICAL POC THREAT Act Now

Local Service Search Engine Management System 1.0 has a vulnerability through authentication bypass using SQL injection . Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Authentication Bypass Local Services Search Engine Management System
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
25.3%
CVE-2021-3199 CRITICAL POC Act Now

Directory traversal with remote code execution can occur in /upload in ONLYOFFICE Document Server before 5.6.3, when JWT is used, via a /.. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal Document Server
NVD GitHub
CVSS 3.1
9.8
EPSS
8.2%
CVE-2021-3190 CRITICAL POC PATCH Act Now

The async-git package before 1.13.2 for Node.js allows OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Command Injection Async Git
NVD GitHub
CVSS 3.1
9.8
EPSS
5.3%
CVE-2021-3188 CRITICAL POC Act Now

phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Phplist
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2021-25907 CRITICAL POC PATCH Act Now

An issue was discovered in the containers crate before 0.9.11 for Rust. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Containers
NVD
CVSS 3.1
9.8
EPSS
1.6%
CVE-2021-25900 CRITICAL POC PATCH Act Now

An issue was discovered in the smallvec crate before 0.6.14 and 1.x before 1.6.1 for Rust. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption Smallvec
NVD
CVSS 3.1
9.8
EPSS
1.7%
CVE-2021-25905 CRITICAL POC PATCH Act Now

An issue was discovered in the bra crate before 0.1.1 for Rust. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Bra
NVD
CVSS 3.1
9.1
EPSS
1.6%
CVE-2021-3317 HIGH POC THREAT This Week

KLog Server through 2.4.1 allows authenticated command injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Klog Server
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
41.4%
CVE-2021-3165 HIGH POC This Week

SmartAgent 3.1.0 allows a ViewOnly attacker to create a SuperUser account via the /#/CampaignManager/users URI. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Smartagent
NVD
CVSS 3.1
8.8
EPSS
2.2%
CVE-2021-3164 HIGH POC This Week

ChurchRota 2.6.4 is vulnerable to authenticated remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload Churchrota
NVD GitHub
CVSS 3.1
8.8
EPSS
4.2%
CVE-2021-25863 HIGH POC This Week

Open5GS 2.1.3 listens on 0.0.0.0:3000 and has a default password of 1423 for the admin account. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Open5gs
NVD GitHub
CVSS 3.1
8.8
EPSS
1.2%
CVE-2021-3309 HIGH POC PATCH This Week

packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by the Certification Authority trust store,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Information Disclosure Wekan
NVD GitHub
CVSS 3.1
8.1
EPSS
1.7%
CVE-2020-28874 HIGH POC PATCH This Week

reset-password.php in ProjectSend before r1295 allows remote attackers to reset a password because of incorrect business logic. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass PHP Projectsend
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
2.4%
CVE-2021-3297 HIGH POC THREAT This Week

On Zyxel NBG2105 V1.00(AAGU.2)C0 devices, setting the login cookie to 1 provides administrator access. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Zyxel Authentication Bypass Nbg2105 Firmware
NVD GitHub
CVSS 3.1
7.8
EPSS
20.5%
CVE-2021-3223 HIGH POC PATCH THREAT This Week

Node-RED-Dashboard before 2.26.2 allows ui_base/js/..%2f directory traversal to read files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Node Red Dashboard
NVD GitHub
CVSS 3.1
7.5
EPSS
18.5%
CVE-2021-3195 HIGH POC This Week

bitcoind in Bitcoin Core through 0.21.0 can create a new file in an arbitrary directory (e.g., outside the ~/.bitcoin directory) via a dumpwallet RPC call. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Bitcoin Core
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2021-25908 HIGH POC This Week

An issue was discovered in the fil-ocl crate through 2021-01-04 for Rust. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Fil Ocl
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2021-25906 HIGH POC PATCH This Week

An issue was discovered in the basic_dsp_matrix crate before 0.9.2 for Rust. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Basic Dsp Matrix
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2021-25904 HIGH POC PATCH This Week

An issue was discovered in the av-data crate before 0.3.0 for Rust. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Null Pointer Dereference Denial Of Service Av Data
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2021-25903 HIGH POC This Week

An issue was discovered in the cache crate through 2021-01-01 for Rust. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Null Pointer Dereference Denial Of Service Cache
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2021-25902 HIGH POC PATCH This Week

An issue was discovered in the glsl-layout crate before 0.4.0 for Rust. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Glsl Layout
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2021-25864 HIGH POC This Week

node-red-contrib-huemagic 3.0.0 is affected by hue/assets/..%2F Directory Traversal.in the res.sendFile API, used in file hue-magic.js, to fetch an arbitrary file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Huemagic
NVD GitHub
CVSS 3.1
7.5
EPSS
9.3%
CVE-2021-3291 HIGH POC PATCH THREAT This Week

Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Zen Cart
NVD GitHub Exploit-DB
CVSS 3.1
7.2
EPSS
16.8%
CVE-2021-22873 MEDIUM POC THREAT This Month

Revive Adserver before 5.1.0 is vulnerable to open redirects via the `dest`, `oadest`, and/or `ct0` parameters of the lg.php and ck.php delivery scripts. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect PHP Revive Adserver
NVD GitHub
CVSS 3.1
6.1
EPSS
66.1%
CVE-2021-22872 MEDIUM POC PATCH This Month

Revive Adserver before 5.1.0 is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the publicly accessible afr.php delivery script. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP XSS Revive Adserver
NVD GitHub
CVSS 3.1
6.1
EPSS
3.4%
CVE-2021-21278 CRITICAL PATCH Act Now

RSSHub is an open source, easy to use, and extensible RSS feed generator. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Rsshub
NVD GitHub
CVSS 3.1
9.8
EPSS
1.6%
CVE-2021-3286 CRITICAL Act Now

SQL injection exists in Spotweb 1.4.9 because the notAllowedCommands protection mechanism is inadequate, e.g., a variation of the payload may be used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Spotweb
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2021-3193 CRITICAL Act Now

Improper access and command validation in the Nagios Docker Config Wizard before 1.1.2, as used in Nagios XI through 5.7, allows an unauthenticated attacker to execute remote code as the apache user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Docker Apache Information Disclosure Nagios Xi
NVD
CVSS 3.1
9.8
EPSS
9.8%
CVE-2021-3185 CRITICAL PATCH Act Now

A flaw was found in the gstreamer h264 component of gst-plugins-bad before v1.18.1 where when parsing a h264 header, an attacker could cause the stack to be smashed, memory corruption and possibly. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Copy without Size Check vulnerability could allow attackers to overflow a buffer to corrupt adjacent memory.

Buffer Overflow RCE Gst Plugins Bad
NVD
CVSS 3.1
9.8
EPSS
2.4%
CVE-2021-3186 MEDIUM POC This Month

A Stored Cross-site scripting (XSS) vulnerability in /main.html Wifi Settings in Tenda AC5 AC1200 version V15.03.06.47_multi allows remote attackers to inject arbitrary web script or HTML via the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Tenda XSS Ac5 Firmware
NVD Exploit-DB
CVSS 3.1
5.4
EPSS
2.5%
CVE-2021-3152 MEDIUM POC This Month

Home Assistant before 2021.1.3 does not have a protection layer that can help to prevent directory-traversal attacks against custom integrations. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Home Assistant
NVD
CVSS 3.1
5.3
EPSS
2.2%
CVE-2020-35854 MEDIUM POC This Month

Textpattern 4.8.4 is affected by cross-site scripting (XSS) in the Body parameter. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Textpattern
NVD VulDB
CVSS 3.1
4.8
EPSS
0.7%
CVE-2020-36011 MEDIUM POC This Month

A cross-site scripting (XSS) issue in Add Patient Form in QDOCS Smart Hospital Management System 3.1 allows a remote attacker to inject arbitrary code via the Name, Guardian Name, Email, Address,. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Smart Hospital
NVD Exploit-DB VulDB
CVSS 3.1
4.8
EPSS
0.7%
CVE-2021-22871 MEDIUM POC PATCH This Month

Revive Adserver before 5.1.0 permits any user with a manager account to store possibly malicious content in the URL website property, which is then displayed unsanitized in the affiliate-preview.php. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP XSS Revive Adserver
NVD GitHub
CVSS 3.1
4.8
EPSS
2.1%
CVE-2021-22159 HIGH This Week

Insider Threat Management Windows Agent Local Privilege Escalation Vulnerability The Proofpoint Insider Threat Management (formerly ObserveIT) Agent for Windows before 7.4.3, 7.5.4, 7.6.5, 7.7.5,. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Apple Microsoft Privilege Escalation Authentication Bypass Insider Threat Management
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2021-26026 HIGH This Week

PlugIns\IDE_ACDStd.apl in ACDSee Professional 2021 14.0 1721 has a User Mode Write Access Violation starting at IDE_ACDStd!JPEGTransW+0x000000000000c7f4 via a crafted BMP image. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Photo Studio 2021
NVD GitHub
CVSS 3.1
7.8
EPSS
0.7%
CVE-2021-26025 HIGH This Week

PlugIns\IDE_ACDStd.apl in ACDSee Professional 2021 14.0 1721 has a User Mode Write Access Violation starting at IDE_ACDStd!zlibVersion+0x0000000000004e5e via a crafted BMP image. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Photo Studio 2021
NVD GitHub
CVSS 3.1
7.8
EPSS
0.7%
CVE-2021-22698 HIGH This Week

A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists in the EcoStruxure Power Build - Rapsody software (V2.1.13 and prior) that could allow a stack-based buffer overflow to. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE File Upload Ecostruxure Power Build Rapsody
NVD
CVSS 3.1
7.8
EPSS
3.9%
CVE-2021-22697 HIGH This Week

A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists in the EcoStruxure Power Build - Rapsody software (V2.1.13 and prior) that could allow a use-after-free condition which. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Ecostruxure Power Build Rapsody
NVD
CVSS 3.1
7.8
EPSS
3.5%
CVE-2021-3115 HIGH PATCH This Week

Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Microsoft Command Injection RCE Go Fedora +2
NVD
CVSS 3.1
7.5
EPSS
6.5%
CVE-2021-26267 HIGH This Week

cPanel before 92.0.9 allows a MySQL user (who has an old-style password hash) to bypass suspension (SEC-579). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Cpanel
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2021-26266 HIGH This Week

cPanel before 92.0.9 allows a Reseller to bypass the suspension lock (SEC-578). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Cpanel
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2021-21723 HIGH This Week

Some ZTE products have a DoS vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zte Denial Of Service Zxr10 9904 Firmware Zxr10 9908 Firmware Zxr10 9916 Firmware +2
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2021-1070 HIGH This Week

NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, L4T versions prior to 32.5, contains a vulnerability in the apply_binaries.sh script used to install NVIDIA components. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Nvidia Linux For Tegra
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2021-26272 MEDIUM PATCH This Month

It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Ckeditor Agile Plm Application Express Banking Party Management +6
NVD GitHub
CVSS 3.1
6.5
EPSS
2.2%
CVE-2021-26271 MEDIUM PATCH This Month

It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Ckeditor Agile Plm Application Express Financial Services Analytical Applications Infrastructure +3
NVD GitHub
CVSS 3.1
6.5
EPSS
2.0%
CVE-2021-21271 MEDIUM PATCH This Month

Tendermint Core is an open source Byzantine Fault Tolerant (BFT) middleware that takes a state transition machine - written in any programming language - and securely replicates it on many machines. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Tendermint
NVD GitHub
CVSS 3.1
6.5
EPSS
1.7%
CVE-2021-3114 MEDIUM PATCH This Month

In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go Fedora Debian Linux Cloud Insights Telegraf Agent +1
NVD GitHub
CVSS 3.1
6.5
EPSS
2.7%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy