Skip to main content
CVE-2021-26084 CRITICAL POC KEV PATCH THREAT Act Now

Confluence Server and Data Center contain an OGNL injection vulnerability allowing unauthenticated remote code execution, triggering mass exploitation campaigns for cryptocurrency mining and ransomware in September 2021.

NVD Exploit-DB
CVSS 3.1
9.8
EPSS
94.4%
Threat
9.8
CVE-2021-34646 CRITICAL POC PATCH THREAT Act Now

Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the process_email_verification function due to a random token. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress PHP Authentication Bypass Booster For Woocommerce
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
50.9%
CVE-2021-34066 CRITICAL POC Act Now

An issue was discovered in EdgeGallery/developer before v1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Developer Be
NVD GitHub
CVSS 3.1
9.8
EPSS
2.0%
CVE-2021-37749 CRITICAL POC Act Now

MapService.svc in Hexagon GeoMedia WebMap 2020 before Update 2 (aka 16.6.2.66) allows blind SQL Injection via the Id (within sourceItems) parameter to the GetMap method. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Geomedia Webmap
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2021-24581 HIGH POC This Week

The Blue Admin WordPress plugin through 21.06.01 does not sanitise or escape its "Logo Title" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress XSS Blue Admin
NVD WPScan Exploit-DB
CVSS 3.1
8.8
EPSS
4.1%
CVE-2021-24580 HIGH POC This Week

The Side Menu Lite WordPress plugin before 2.2.6 does not sanitise user input from the List page in the admin dashboard before using it in SQL statement, leading to a SQL Injection issue. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Side Menu
NVD WPScan
CVSS 3.1
8.8
EPSS
1.4%
CVE-2021-24579 HIGH POC This Week

The bt_bb_get_grid AJAX action of the Bold Page Builder WordPress plugin before 3.1.6 passes user input into the unserialize() function without any validation or sanitisation, which could lead to a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP Bold Page Builder
NVD WPScan
CVSS 3.1
8.8
EPSS
8.2%
CVE-2021-39271 HIGH POC This Week

OrbiTeam BSCW Classic before 7.4.3 allows authenticated remote code execution (RCE) during archive extraction via attacker-supplied Python code in the class attribute of a .bscw file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE Bscw Classic
NVD
CVSS 3.1
8.8
EPSS
3.7%
CVE-2021-36359 HIGH POC This Week

OrbiTeam BSCW Classic before 7.4.3 allows exportpdf authenticated remote code execution (RCE) via XML tag injection because reportlab\platypus\paraparser.py (reached via bscw.cgi. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE Bscw Classic
NVD
CVSS 3.1
8.8
EPSS
4.0%
CVE-2021-35062 HIGH POC This Week

A Shell Metacharacter Injection vulnerability in result.php in DRK Odenwaldkreis Testerfassung March-2021 allow an attacker with a valid token of a COVID-19 test result to execute shell commands with. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

PHP Command Injection Testerfassung
NVD GitHub
CVSS 3.1
8.1
EPSS
1.5%
CVE-2021-36691 HIGH POC This Week

libjxl v0.5.0 is affected by a Assertion failed issue in lib/jxl/image.cc jxl::PlaneBase::PlaneBase(). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Libjxl
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2021-36370 HIGH POC This Week

An issue was discovered in Midnight Commander through 4.8.26. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Midnight Commander
NVD GitHub
CVSS 3.1
7.5
EPSS
2.2%
CVE-2021-38385 HIGH POC This Week

Tor before 0.3.5.16, 0.4.5.10, and 0.4.6.7 mishandles the relationship between batch-signature verification and single-signature verification, leading to a remote assertion failure, aka. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Tor
NVD
CVSS 3.1
7.5
EPSS
1.7%
CVE-2021-32831 HIGH POC PATCH This Week

Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Node.js Code Injection Python Total Js
NVD GitHub
CVSS 3.1
7.2
EPSS
1.5%
CVE-2021-36692 MEDIUM POC PATCH This Month

libjxl v0.3.7 is affected by a Divide By Zero in issue in lib/extras/codec_apng.cc jxl::DecodeImageAPNG(). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Libjxl
NVD GitHub
CVSS 3.1
6.5
EPSS
1.2%
CVE-2021-32832 MEDIUM POC PATCH This Month

Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service Rocket Chat
NVD GitHub
CVSS 3.1
6.5
EPSS
1.6%
CVE-2021-38343 MEDIUM POC This Month

The Nested Pages WordPress plugin <= 3.1.15 was vulnerable to an Open Redirect via the `page` POST parameter in the `npBulkActions`, `npBulkEdit`, `npListingSort`, and `npCategoryFilter` `admin_post`. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Open Redirect Nested Pages
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-37416 MEDIUM POC This Month

Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Adselfservice Plus
NVD
CVSS 3.1
6.1
EPSS
2.9%
CVE-2021-35061 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in DRK Odenwaldkreis Testerfassung March-2021 allow remote attackers to inject arbitrary web script or HTML via all parameters to HTML form fields. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Testerfassung
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-27909 MEDIUM POC PATCH This Month

For Mautic versions prior to 3.3.4/4.0.0, there is an XSS vulnerability on Mautic's password reset page where a vulnerable parameter, "bundle," in the URL could allow an attacker to execute. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Mautic
NVD GitHub
CVSS 3.1
6.1
EPSS
4.1%
CVE-2021-24438 MEDIUM POC This Month

The ShareThis Dashboard for Google Analytics WordPress plugin before 2.5.2 does not sanitise or escape the 'ga_action' parameter in the stats view before outputting it back in an attribute when the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google WordPress XSS Dashboard For Google Analytics
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-24437 MEDIUM POC This Month

The Favicon by RealFaviconGenerator WordPress plugin through 1.3.20 does not sanitise or escape one of its parameter before outputting it back in the response, leading to a Reflected Cross-Site. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Favicon By Realfavicongenerator
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-39177 CRITICAL PATCH Act Now

Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Java Authentication Bypass Geyser
NVD GitHub
CVSS 3.1
9.8
EPSS
1.4%
CVE-2021-37421 CRITICAL Act Now

Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Adselfservice Plus
NVD
CVSS 3.1
9.8
EPSS
2.5%
CVE-2021-37417 CRITICAL Act Now

Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Adselfservice Plus
NVD
CVSS 3.1
9.8
EPSS
4.8%
CVE-2021-33055 CRITICAL PATCH Act Now

Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Zoho RCE Command Injection Manageengine Adselfservice Plus
NVD
CVSS 3.1
9.8
EPSS
18.1%
CVE-2021-38393 CRITICAL Act Now

A Blind SQL injection vulnerability exists in the /DataHandler/HandlerAlarmGroup.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Diaenergie
NVD
CVSS 3.1
9.8
EPSS
19.9%
CVE-2021-38391 CRITICAL Act Now

A Blind SQL injection vulnerability exists in the /DataHandler/AM/AM_Handler.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Diaenergie
NVD
CVSS 3.1
9.8
EPSS
3.5%
CVE-2021-38390 CRITICAL Act Now

A Blind SQL injection vulnerability exists in the /DataHandler/HandlerEnergyType.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Diaenergie
NVD
CVSS 3.1
9.8
EPSS
19.8%
CVE-2021-32983 CRITICAL Act Now

A Blind SQL injection vulnerability exists in the /DataHandler/Handler_CFG.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Diaenergie
NVD
CVSS 3.1
9.8
EPSS
3.9%
CVE-2021-32967 CRITICAL Act Now

Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to add a new administrative user without being authenticated or authorized, which may allow the attacker to log in and use. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Diaenergie
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2021-32955 CRITICAL Act Now

Delta Electronics DIAEnergie Version 1.7.5 and prior allows unrestricted file uploads, which may allow an attacker to remotely execute code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload Diaenergie
NVD
CVSS 3.1
9.8
EPSS
37.3%
CVE-2021-27663 CRITICAL Act Now

A vulnerability in versions 10.1 through 10.5 of Johnson Controls CEM Systems AC2000 allows a remote attacker to access to the system without adequate authorization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Ac2000 Firmware
NVD
CVSS 3.1
9.8
EPSS
1.7%
CVE-2021-21741 CRITICAL Act Now

There is a command execution vulnerability in a ZTE conference management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Zte Zxv10 M910 Firmware
NVD
CVSS 3.1
9.8
EPSS
1.9%
CVE-2021-24593 MEDIUM POC This Month

The Business Hours Indicator WordPress plugin before 2.3.5 does not sanitise or escape its 'Now closed message" setting when outputting it in the backend and frontend, leading to an Authenticated. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Business Hours Indicator
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24528 MEDIUM POC This Month

The FluentSMTP WordPress plugin before 2.0.1 does not sanitize parameters before storing the settings in the database, nor does the plugin escape the values before outputting them when viewing the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Fluentsmtp
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-34434 MEDIUM POC This Month

In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Mosquitto Fedora
NVD
CVSS 3.1
5.3
EPSS
1.4%
CVE-2021-39132 HIGH PATCH This Week

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization File Upload Rundeck
NVD GitHub
CVSS 3.1
8.8
EPSS
1.4%
CVE-2021-27020 HIGH This Week

Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Puppet Enterprise
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2021-37911 HIGH This Week

The management interface of BenQ smart wireless conference projector does not properly control user's privilege. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Eh600 Firmware
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2021-24592 MEDIUM POC This Month

The Sitewide Notice WP WordPress plugin before 2.3 does not sanitise some of its settings before outputting them in frontend pages, allowing high privilege users to perform Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Sitewide Notice
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-38342 HIGH This Week

The Nested Pages WordPress plugin <= 3.1.15 was vulnerable to Cross-Site Request Forgery via the `npBulkAction`s and `npBulkEdit` `admin_post` actions, which allowed attackers to trash or permanently. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress Nested Pages
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2021-29630 HIGH PATCH This Week

In FreeBSD 13.0-STABLE before n246938-0729ba2f49c9, 12.2-STABLE before r370383, 11.4-STABLE before r370381, 13.0-RELEASE before p4, 12.2-RELEASE before p10, and 11.4-RELEASE before p13, the ggatec. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Buffer Overflow RCE Memory Corruption Freebsd
NVD
CVSS 3.1
8.1
EPSS
1.6%
CVE-2021-33019 HIGH This Week

A stack-based buffer overflow vulnerability in Delta Electronics DOPSoft Version 4.00.11 and prior may be exploited by processing a specially crafted project file, which may allow an attacker to. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Stack Overflow Dopsoft
NVD
CVSS 3.1
7.8
EPSS
2.4%
CVE-2021-33007 HIGH This Week

A heap-based buffer overflow in Delta Electronics TPEditor: v1.98.06 and prior may be exploited by processing a specially crafted project file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Heap Overflow RCE Tpeditor
NVD
CVSS 3.1
7.8
EPSS
1.1%
CVE-2021-29631 HIGH This Week

In FreeBSD 13.0-STABLE before n246941-20f96f215562, 12.2-STABLE before r370400, 11.4-STABLE before r370399, 13.0-RELEASE before p4, 12.2-RELEASE before p10, and 11.4-RELEASE before p13, certain. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow RCE Freebsd
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2021-27018 HIGH This Week

The mechanism which performs certificate validation was discovered to have a flaw that resulted in certificates signed by an internal certificate authority to not be properly validated. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Remediate
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2021-22027 HIGH PATCH This Week

The vRealize Operations Manager API (8.x prior to 8.5) contains a Server Side Request Forgery in an end point. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Information Disclosure Cloud Foundation Vrealize Operations Manager Vrealize Suite Lifecycle Manager
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2021-22026 HIGH PATCH This Week

The vRealize Operations Manager API (8.x prior to 8.5) contains a Server Side Request Forgery in an end point. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Information Disclosure Cloud Foundation Vrealize Operations Manager Vrealize Suite Lifecycle Manager
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2021-22025 HIGH PATCH This Week

The vRealize Operations Manager API (8.x prior to 8.5) contains a broken access control vulnerability leading to unauthenticated API access. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Cloud Foundation Vrealize Operations Manager Vrealize Suite Lifecycle Manager
NVD
CVSS 3.1
7.5
EPSS
0.8%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy