Skip to main content
CVE-2021-24321 CRITICAL POC THREAT Act Now

The Bello - Directory & Listing WordPress theme before 1.6.0 did not sanitise the bt_bb_listing_field_price_range_to, bt_bb_listing_field_now_open, bt_bb_listing_field_my_lng, listing_list_view and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Bello
NVD WPScan
CVSS 3.1
9.8
EPSS
66.6%
CVE-2021-32647 CRITICAL POC PATCH Act Now

Emissary is a P2P based data-driven workflow engine. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Information Disclosure Java Emissary
NVD GitHub
CVSS 3.1
9.1
EPSS
2.9%
CVE-2021-27828 CRITICAL POC THREAT Act Now

SQL injection in In4Suite ERP 3.2.74.1370 allows attackers to modify or delete data, causing persistent changes to the application's content or behavior by using malicious SQL queries. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi In4Suite Erp
NVD Exploit-DB
CVSS 3.1
9.1
EPSS
20.3%
CVE-2021-32924 HIGH POC THREAT This Week

Invision Community (aka IPS Community Suite) before 4.6.0 allows eval-based PHP code injection by a moderator because the IPS\cms\modules\front\pages\_builder::previewBlock method interacts unsafely. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection Ips Community Suite
NVD
CVSS 3.1
8.8
EPSS
19.9%
CVE-2021-24311 HIGH POC This Week

The wp_ajax_upload-remote-file AJAX action of the External Media WordPress plugin before 1.0.34 was vulnerable to arbitrary file uploads via any authenticated users. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress File Upload External Media
NVD WPScan
CVSS 3.1
8.8
EPSS
1.8%
CVE-2021-3516 HIGH POC PATCH This Week

There's a flaw in libxml2's xmllint in versions before 2.9.11. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Use After Free Memory Corruption Information Disclosure Xmllint Debian Linux +7
NVD
CVSS 3.1
7.8
EPSS
2.0%
CVE-2021-23017 HIGH POC PATCH THREAT This Week

A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Nginx Denial Of Service Openresty Fedora Ontap Select Deploy Administration Utility +9
NVD Exploit-DB
CVSS 3.1
7.7
EPSS
53.5%
CVE-2021-31684 HIGH POC PATCH This Week

A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Denial Of Service Memory Corruption Json Smart V1 Json Smart V2 +1
NVD GitHub
CVSS 3.1
7.5
EPSS
2.3%
CVE-2021-24312 HIGH POC This Week

The parameters $cache_path, $wp_cache_debug_ip, $wp_super_cache_front_page_text, $cache_scheduled_time, $cached_direct_pages used in the settings of WP Super Cache WordPress plugin before 1.7.3. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress RCE Code Injection WP Super Cache
NVD WPScan
CVSS 3.1
7.2
EPSS
1.7%
CVE-2021-31642 MEDIUM POC THREAT This Month

A denial of service condition exists after an integer overflow in several IoT devices from CHIYU Technology, including BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Integer Overflow Denial Of Service Semac S2 Firmware Semac D1 Firmware Semac D2 Firmware +8
NVD Exploit-DB
CVSS 3.1
6.5
EPSS
43.7%
CVE-2021-24333 MEDIUM POC This Month

The Content Copy Protection & Prevent Image Save WordPress plugin through 1.3 does not check for CSRF when saving its settings, not perform any validation and sanitisation on them, allowing attackers. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress XSS Content Copy Protection Prevent Image Save
NVD WPScan
CVSS 3.1
6.5
EPSS
0.8%
CVE-2021-24318 MEDIUM POC This Month

The Listeo WordPress theme before 1.6.11 did not ensure that the Post/Page and Booking to delete belong to the user making the request, allowing any authenticated users to delete arbitrary page/post. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Listeo
NVD WPScan
CVSS 3.1
6.5
EPSS
1.0%
CVE-2021-24328 MEDIUM POC This Month

The WP Login Security and History WordPress plugin through 1.0 did not have CSRF check when saving its settings, not any sanitisation or validation on them. Rated medium severity (CVSS 6.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress XSS Wp Login Security And History
NVD WPScan
CVSS 3.1
6.2
EPSS
0.6%
CVE-2021-31641 MEDIUM POC This Month

An unauthenticated XSS vulnerability exists in several IoT devices from CHIYU Technology, including BF-630, BF-450M, BF-430, BF-431, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC due to a lack of. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Bf 430 Firmware Bf 431 Firmware Bf 450M Firmware Semac S2 Firmware +11
NVD
CVSS 3.1
6.1
EPSS
5.1%
CVE-2021-24335 MEDIUM POC This Month

The Car Repair Services & Auto Mechanic WordPress theme before 4.0 did not properly sanitise its serviceestimatekey search parameter before outputting it back in the page, leading to a reflected. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Car Repair Services Auto Mechanic
NVD WPScan
CVSS 3.1
6.1
EPSS
3.9%
CVE-2021-24320 MEDIUM POC THREAT This Month

The Bello - Directory & Listing WordPress theme before 1.6.0 did not properly sanitise and escape its listing_list_view, bt_bb_listing_field_my_lat, bt_bb_listing_field_my_lng,. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Bello
NVD WPScan
CVSS 3.1
6.1
EPSS
10.8%
CVE-2021-24317 MEDIUM POC This Month

The Listeo WordPress theme before 1.6.11 did not properly sanitise some parameters in its Search, Booking Confirmation and Personal Message pages, leading to Cross-Site Scripting issues. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Listeo
NVD WPScan
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-24316 MEDIUM POC This Month

The search feature of the Mediumish WordPress theme through 1.0.47 does not properly sanitise it's 's' GET parameter before output it back the page, leading to the Cross-SIte Scripting issue. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Mediumish
NVD WPScan
CVSS 3.1
6.1
EPSS
6.4%
CVE-2021-33180 CRITICAL Act Now

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in cgi component in Synology Media Server before 1.8.1-2876 allows remote attackers to execute. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Synology SQLi Media Server
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2021-30181 CRITICAL PATCH Act Now

Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Dubbo
NVD
CVSS 3.1
9.8
EPSS
61.5%
CVE-2021-30180 CRITICAL PATCH Act Now

Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Apache Information Disclosure Dubbo
NVD
CVSS 3.1
9.8
EPSS
60.4%
CVE-2021-30179 CRITICAL PATCH Act Now

Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Java Dubbo
NVD
CVSS 3.1
9.8
EPSS
4.2%
CVE-2021-25641 CRITICAL PATCH Act Now

Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Dubbo
NVD
CVSS 3.1
9.8
EPSS
17.7%
CVE-2021-31643 MEDIUM POC THREAT This Month

An XSS vulnerability exists in several IoT devices from CHIYU Technology, including SEMAC, Biosense, BF-630, BF-631, and Webpass due to a lack of sanitization on the component if.cgi - username. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Bf 631 Firmware Bf 630 Firmware Semac S2 Firmware Semac D1 Firmware +7
NVD
CVSS 3.1
5.4
EPSS
88.4%
CVE-2021-24334 MEDIUM POC This Month

The Instant Images - One Click Unsplash Uploads WordPress plugin before 4.4.0.1 did not properly validate and sanitise its unsplash_download_w and unsplash_download_h parameter settings. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Instant Images One Click Unsplash Uploads
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-24329 MEDIUM POC This Month

The WP Super Cache WordPress plugin before 1.7.3 did not properly sanitise its wp_cache_location parameter in its settings, which could lead to a Stored Cross-Site Scripting issue. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS WP Super Cache
NVD WPScan
CVSS 3.1
5.4
EPSS
3.3%
CVE-2021-24322 MEDIUM POC This Month

The Database Backup for WordPress plugin before 2.4 did not escape the backup_recipient POST parameter in before output it back in the attribute of an HTML tag, leading to a Stored Cross-Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Database Backup
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-24319 MEDIUM POC This Month

The Bello - Directory & Listing WordPress theme before 1.6.0 did not properly sanitise its post_excerpt parameter before outputting it back in the shop/my-account/bello-listing-endpoint/ page,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Bello
NVD WPScan
CVSS 3.1
5.4
EPSS
1.7%
CVE-2021-24313 MEDIUM POC This Month

The WP Prayer WordPress plugin before 1.6.2 provides the functionality to store requested prayers/praises and list them on a WordPress website. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Prayer
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-24309 MEDIUM POC This Month

The "Schedule Name" input in the Weekly Schedule WordPress plugin before 3.4.3 general options did not properly sanitize input, allowing a user to inject javascript code using the <script> HTML tags. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Weekly Schedule
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-25932 MEDIUM POC PATCH This Month

In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1;. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Meridian Opennms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.9%
CVE-2021-32654 CRITICAL Act Now

Nextcloud Server is a Nextcloud package that handles data storage. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nextcloud Authentication Bypass Nextcloud Server
NVD GitHub
CVSS 3.1
9.1
EPSS
1.8%
CVE-2021-33181 CRITICAL Act Now

Server-Side Request Forgery (SSRF) vulnerability in webapi component in Synology Video Station before 2.4.10-1632 allows remote authenticated users to send arbitrary request to intranet resources via. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Synology SSRF Video Station
NVD
CVSS 3.1
9.1
EPSS
1.0%
CVE-2021-22123 HIGH This Week

An OS command injection vulnerability in FortiWeb's management interface 6.3.7 and below, 6.2.3 and below, 6.1.x, 6.0.x, 5.9.x may allow a remote authenticated attacker to execute arbitrary commands. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Fortinet Command Injection Fortiweb
NVD
CVSS 3.1
8.8
EPSS
77.3%
CVE-2021-3495 HIGH PATCH This Week

An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Kiali Operator Openshift Service Mesh
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-32027 HIGH PATCH This Week

A flaw was found in postgresql in versions before 13.3, before 12.7, before 11.12, before 10.17 and before 9.6.22. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Integer Overflow vulnerability could allow attackers to cause unexpected behavior through arithmetic overflow.

Integer Overflow PostgreSQL Information Disclosure Jboss Enterprise Application Platform Software Collections +1
NVD
CVSS 3.1
8.8
EPSS
2.0%
CVE-2021-29092 HIGH This Week

Unrestricted upload of file with dangerous type vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary code via. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Synology RCE File Upload Photo Station
NVD
CVSS 3.1
8.8
EPSS
1.7%
CVE-2021-24331 MEDIUM POC This Month

The Smooth Scroll Page Up/Down Buttons WordPress plugin before 1.4 did not properly sanitise and validate its settings, such as psb_distance, psb_buttonsize, psb_speed, only validating them client. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Smooth Scroll Page Up Down Buttons
NVD WPScan
CVSS 3.1
4.8
EPSS
0.7%
CVE-2021-24330 MEDIUM POC This Month

The Funnel Builder by CartFlows - Create High Converting Sales Funnels For WordPress plugin before 1.6.13 did not sanitise its facebook_pixel_id and google_analytics_id settings, allowing high. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Cartflows
NVD WPScan
CVSS 3.1
4.8
EPSS
0.7%
CVE-2021-24310 MEDIUM POC This Month

The Photo Gallery by 10Web - Mobile-Friendly Image Gallery WordPress plugin before 1.5.67 did not properly sanitise the gallery title, allowing high privilege users to create one with XSS payload in. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Photo Gallery
NVD WPScan
CVSS 3.1
4.8
EPSS
1.1%
CVE-2021-32656 HIGH This Week

Nextcloud Server is a Nextcloud package that handles data storage. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nextcloud Authentication Bypass Nextcloud Server
NVD GitHub
CVSS 3.1
8.6
EPSS
1.8%
CVE-2021-32652 MEDIUM POC This Month

Nextcloud Mail is a mail app for the Nextcloud platform. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Nextcloud Authentication Bypass Mail
NVD GitHub
CVSS 3.1
4.3
EPSS
1.1%
CVE-2021-32651 MEDIUM POC PATCH This Month

OneDev is a development operations platform. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection LDAP Onedev
NVD GitHub
CVSS 3.1
4.3
EPSS
1.1%
CVE-2021-33183 HIGH This Week

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability container volume management component in Synology Docker before 18.09.0-0515 allows local users to read or. Rated high severity (CVSS 7.9), this vulnerability is low attack complexity. No vendor patch available.

Synology Docker Path Traversal
NVD
CVSS 3.1
7.9
EPSS
0.3%
CVE-2021-29740 HIGH This Week

IBM Spectrum Scale 5.0.0 through 5.0.5.6 and 5.1.0 through 5.1.0.3 system core component is affected by a format string security vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

IBM RCE Spectrum Scale
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2021-29665 HIGH This Week

IBM Security Verify Access 20.07 is vulnerable to a stack based buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code on the system with. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow IBM Memory Corruption RCE Security Verify Access
NVD
CVSS 3.1
7.8
EPSS
1.1%
CVE-2021-29088 HIGH This Week

Improper limitation of a pathname to a restricted directory ('Path Traversal') in cgi component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Synology RCE Path Traversal Diskstation Manager
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2021-23019 HIGH This Week

The NGINX Controller 2.0.0 thru 2.9.0 and 3.x before 3.15.0 Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Nginx Information Disclosure Nginx Controller
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2021-33184 HIGH This Week

Server-Side request forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.15-3563 allows remote authenticated users to read arbitrary files via unspecified. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Synology SSRF Download Station
NVD
CVSS 3.1
7.7
EPSS
1.0%
CVE-2021-20576 HIGH PATCH This Week

IBM Security Verify Access 20.07 could allow a remote attacker to send a specially crafted HTTP GET request that could cause the application to crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Denial Of Service Application Gateway Security Verify Access
NVD
CVSS 3.1
7.5
EPSS
2.5%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy