Skip to main content
CVE-2021-26855 CRITICAL POC KEV PATCH THREAT Act Now

Microsoft Exchange Server contains a server-side request forgery (SSRF) vulnerability known as 'ProxyLogon' that allows unauthenticated attackers to access Exchange backend services, chain with other vulnerabilities for full server compromise. The most impactful Exchange vulnerability in history.

NVD Exploit-DB
CVSS 3.1
9.1
EPSS
94.0%
Threat
9.6
CVE-2021-27065 HIGH POC KEV PATCH THREAT Act Now

Microsoft Exchange Server allows post-authentication arbitrary file write that enables web shell deployment, the primary persistence mechanism in the ProxyLogon attack chain responsible for compromising 250,000+ servers.

NVD Exploit-DB
CVSS 3.1
7.8
EPSS
94.3%
Threat
9.4
CVE-2021-26858 HIGH KEV PATCH THREAT Act Now

Microsoft Exchange Server allows authenticated attackers to write arbitrary files to the server filesystem, the third component of the ProxyLogon exploit chain enabling web shell deployment.

NVD
CVSS 3.1
7.8
EPSS
53.0%
CVE-2021-26857 HIGH KEV PATCH THREAT Act Now

Microsoft Exchange Server Unified Messaging service contains a deserialization vulnerability that allows authenticated attackers to execute code as SYSTEM, part of the ProxyLogon exploit chain.

NVD
CVSS 3.1
7.8
EPSS
40.5%
CVE-2021-21978 CRITICAL POC THREAT Emergency

VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload VMware View Planner
NVD
CVSS 3.1
9.8
EPSS
99.0%
CVE-2021-27215 CRITICAL POC PATCH Act Now

An issue was discovered in genua genugate before 9.0 Z p19, 9.1.x through 9.6.x before 9.6 p7, and 10.x before 10.1 p4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Genuagate
NVD
CVSS 3.1
9.8
EPSS
2.3%
CVE-2021-27931 CRITICAL POC THREAT Act Now

LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service XXE Lumis Experience Platform
NVD GitHub
CVSS 3.1
9.1
EPSS
18.6%
CVE-2021-21353 CRITICAL POC PATCH Act Now

Pug is an npm package which is a high-performance template engine. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

RCE Node.js Pug Pug Code Gen
NVD GitHub
CVSS 3.1
9.0
EPSS
4.3%
CVE-2021-22884 HIGH POC PATCH THREAT This Week

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Node.js Authentication Bypass Node Js Fedora Active Iq Unified Manager +10
NVD
CVSS 3.1
7.5
EPSS
32.4%
CVE-2021-26813 HIGH POC PATCH This Week

markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Markdown2 Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
2.4%
CVE-2021-21979 HIGH POC This Week

In Bitnami Containers, all Laravel container versions prior to: 6.20.0-debian-10-r107 for Laravel 6, 7.30.1-debian-10-r108 for Laravel 7 and 8.5.11-debian-10-r0 for Laravel 8, the file /tmp/app/.env. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Debian Docker PHP Authentication Bypass Containers
NVD GitHub
CVSS 3.1
7.3
EPSS
0.6%
CVE-2021-22877 MEDIUM POC PATCH This Month

A missing user check in Nextcloud prior to 20.0.6 inadvertently populates a user's own credentials for other users external storage configuration when not already configured yet. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Nextcloud Authentication Bypass Nextcloud Server Fedora
NVD GitHub
CVSS 3.1
6.5
EPSS
1.7%
CVE-2021-27940 MEDIUM POC PATCH This Month

resources/public/js/orchestrator.js in openark orchestrator before 3.2.4 allows XSS via the orchestrator-msg parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Orchestrator
NVD GitHub
CVSS 3.1
6.1
EPSS
1.2%
CVE-2021-22681 CRITICAL KEV THREAT Act Now

Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers are communicating with Rockwell Automation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Rockwell Authentication Bypass Factorytalk Services Platform Rslogix 5000 Studio 5000 Logix Designer
NVD
CVSS 3.1
9.8
EPSS
25.5%
CVE-2021-22182 MEDIUM POC This Month

An issue has been discovered in GitLab affecting all versions starting with 13.7. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Gitlab
NVD
CVSS 3.1
5.4
EPSS
1.0%
CVE-2021-21352 CRITICAL PATCH Act Now

Anuko Time Tracker is an open source, web-based time tracking application written in PHP. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Time Tracker
NVD GitHub
CVSS 3.1
9.1
EPSS
1.4%
CVE-2021-27078 CRITICAL PATCH Act Now

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity.

Microsoft RCE Exchange Server
NVD
CVSS 3.1
9.1
EPSS
18.3%
CVE-2021-26412 CRITICAL PATCH Act Now

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity.

Microsoft RCE Exchange Server
NVD
CVSS 3.1
9.1
EPSS
30.4%
CVE-2021-22878 MEDIUM POC PATCH This Month

Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in `OC.Notification.show`. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Nextcloud XSS Nextcloud Server Fedora
NVD GitHub
CVSS 3.1
4.8
EPSS
1.1%
CVE-2021-27927 HIGH PATCH This Week

In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Zabbix
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2021-20076 HIGH This Week

Tenable.sc and Tenable.sc Core versions 5.13.0 through 5.17.0 were found to contain a vulnerability that could allow an authenticated, unprivileged user to perform Remote Code Execution (RCE) on the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Tenable Sc
NVD
CVSS 3.1
8.8
EPSS
2.0%
CVE-2021-20233 HIGH PATCH This Week

A flaw was found in grub2 in versions prior to 2.06. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Buffer Overflow Memory Corruption Grub2 Enterprise Linux Enterprise Linux Server Aus +5
NVD
CVSS 3.1
8.2
EPSS
0.6%
CVE-2021-22863 HIGH This Week

An improper access control vulnerability was identified in the GitHub Enterprise Server GraphQL API that allowed authenticated users of the instance to modify the maintainer collaboration permission. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Github
NVD GitHub
CVSS 3.1
8.1
EPSS
1.0%
CVE-2021-22683 HIGH This Week

Fatek FvDesigner Version 1.5.76 and prior is vulnerable to an out-of-bounds write while processing project files, allowing an attacker to craft a special project file that may permit arbitrary code. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption Fvdesigner
NVD
CVSS 3.1
7.8
EPSS
1.0%
CVE-2021-22670 HIGH This Week

An uninitialized pointer may be exploited in Fatek FvDesigner Version 1.5.76 and prior while the application is processing project files, allowing an attacker to craft a special project file that may. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Memory Corruption Fvdesigner
NVD
CVSS 3.1
7.8
EPSS
1.0%
CVE-2021-22666 HIGH This Week

Fatek FvDesigner Version 1.5.76 and prior is vulnerable to a stack-based buffer overflow while project files are being processed, allowing an attacker to craft a special project file that may permit. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Stack Overflow Fvdesigner
NVD
CVSS 3.1
7.8
EPSS
1.1%
CVE-2021-22662 HIGH This Week

A use after free issue has been identified in Fatek FvDesigner Version 1.5.76 and prior in the way the application processes project files, allowing an attacker to craft a special project file that. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Use After Free Denial Of Service RCE Memory Corruption Fvdesigner
NVD
CVSS 3.1
7.8
EPSS
1.1%
CVE-2021-22638 HIGH This Week

Fatek FvDesigner Version 1.5.76 and prior is vulnerable to an out-of-bounds read while processing project files, allowing an attacker to craft a special project file that may permit arbitrary code. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Information Disclosure Fvdesigner
NVD
CVSS 3.1
7.8
EPSS
1.0%
CVE-2021-25315 HIGH PATCH This Week

CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Authentication Bypass Salt
NVD
CVSS 3.1
7.8
EPSS
2.3%
CVE-2021-27935 HIGH PATCH This Week

An issue was discovered in AdGuard before 0.105.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Insufficiently Protected Credentials vulnerability could allow attackers to obtain user credentials due to weak protection mechanisms.

Information Disclosure Adguard Home
NVD GitHub
CVSS 3.1
7.5
EPSS
4.1%
CVE-2021-22883 HIGH PATCH This Week

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Node.js Denial Of Service Node Js Fedora E Series Performance Analyzer +6
NVD
CVSS 3.1
7.5
EPSS
77.4%
CVE-2021-20442 HIGH PATCH This Week

IBM Security Verify Bridge contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use of Hard-coded Credentials vulnerability could allow attackers to gain access using credentials embedded in source code.

IBM Authentication Bypass Security Verify Bridge
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2021-27923 HIGH PATCH This Week

Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Pillow Fedora
NVD
CVSS 3.1
7.5
EPSS
3.1%
CVE-2021-27922 HIGH PATCH This Week

Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Pillow Fedora
NVD
CVSS 3.1
7.5
EPSS
4.9%
CVE-2021-27921 HIGH PATCH This Week

Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Pillow Fedora
NVD
CVSS 3.1
7.5
EPSS
3.2%
CVE-2021-20225 MEDIUM This Month

A flaw was found in grub2 in versions prior to 2.06. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Memory Corruption Grub2 Enterprise Linux Enterprise Linux Server Aus +5
NVD
CVSS 3.1
6.7
EPSS
1.0%
CVE-2021-26854 MEDIUM PATCH This Month

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable.

Microsoft RCE Exchange Server
NVD
CVSS 3.1
6.6
EPSS
19.6%
CVE-2021-22862 MEDIUM This Month

An improper access control vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with the ability to fork a repository to disclose Actions secrets for the parent. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Github
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2021-22861 MEDIUM This Month

An improper access control vulnerability was identified in GitHub Enterprise Server that allowed authenticated users of the instance to gain write access to unauthorized repositories via specifically. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Github
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-21313 MEDIUM This Month

GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Information Disclosure Glpi
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-20441 MEDIUM PATCH This Month

IBM Security Verify Bridge uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

IBM Information Disclosure Security Verify Bridge
NVD
CVSS 3.1
5.9
EPSS
0.7%
CVE-2021-25252 MEDIUM PATCH This Month

Trend Micro's Virus Scan API (VSAPI) and Advanced Threat Scan Engine (ATSE) - are vulnerable to a memory exhaustion vulnerability that may lead to denial-of-service or system freeze if exploited by. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Trend Micro Apex Central Apex One Cloud Edge +16
NVD
CVSS 3.1
5.5
EPSS
0.6%
CVE-2021-22188 MEDIUM This Month

An issue has been discovered in GitLab affecting all versions starting with 13.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Gitlab Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
1.3%
CVE-2021-21314 MEDIUM This Month

GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Glpi
NVD GitHub
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-21312 MEDIUM This Month

GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP XSS Glpi
NVD GitHub
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-23347 MEDIUM PATCH This Month

The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected to Argo CD would have to send back a. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity.

XSS Argo Cd
NVD GitHub
CVSS 3.1
4.8
EPSS
0.5%
CVE-2021-2138 MEDIUM This Month

Vulnerability in the Oracle Cloud Infrastructure Data Science Notebook Sessions. Rated medium severity (CVSS 4.6), this vulnerability is low attack complexity. No vendor patch available.

Oracle Authentication Bypass Cloud Infrastructure Data Science
NVD
CVSS 3.1
4.6
EPSS
0.4%
CVE-2021-27839 MEDIUM This Month

A CSV injection vulnerability found in Online Invoicing System (OIS) 4.3 and below can be exploited by users to perform malicious actions such as redirecting admins to unknown or harmful websites, or. Rated medium severity (CVSS 4.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Code Injection Online Invoicing System
NVD GitHub
CVSS 3.1
4.4
EPSS
0.7%
CVE-2021-21331 LOW PATCH Monitor

The Java client for the Datadog API before version 1.0.0-beta.9 has a local information disclosure of sensitive information downloaded via the API using the API Client. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity.

Information Disclosure Java Datadog Api Client Java
NVD GitHub
CVSS 3.1
3.3
EPSS
0.6%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy