Skip to main content
CVE-2021-26084 CRITICAL POC KEV PATCH THREAT Act Now

Confluence Server and Data Center contain an OGNL injection vulnerability allowing unauthenticated remote code execution, triggering mass exploitation campaigns for cryptocurrency mining and ransomware in September 2021.

NVD Exploit-DB
CVSS 3.1
9.8
EPSS
94.4%
Threat
9.8
CVE-2021-34646 CRITICAL POC PATCH THREAT Act Now

Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the process_email_verification function due to a random token. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress PHP Authentication Bypass Booster For Woocommerce
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
50.9%
CVE-2021-34066 CRITICAL POC Act Now

An issue was discovered in EdgeGallery/developer before v1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Developer Be
NVD GitHub
CVSS 3.1
9.8
EPSS
2.0%
CVE-2021-37749 CRITICAL POC Act Now

MapService.svc in Hexagon GeoMedia WebMap 2020 before Update 2 (aka 16.6.2.66) allows blind SQL Injection via the Id (within sourceItems) parameter to the GetMap method. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Geomedia Webmap
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2021-39177 CRITICAL PATCH Act Now

Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Java Authentication Bypass Geyser
NVD GitHub
CVSS 3.1
9.8
EPSS
1.4%
CVE-2021-37421 CRITICAL Act Now

Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Adselfservice Plus
NVD
CVSS 3.1
9.8
EPSS
2.5%
CVE-2021-37417 CRITICAL Act Now

Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Adselfservice Plus
NVD
CVSS 3.1
9.8
EPSS
4.8%
CVE-2021-33055 CRITICAL PATCH Act Now

Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Zoho RCE Command Injection Manageengine Adselfservice Plus
NVD
CVSS 3.1
9.8
EPSS
18.1%
CVE-2021-38393 CRITICAL Act Now

A Blind SQL injection vulnerability exists in the /DataHandler/HandlerAlarmGroup.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Diaenergie
NVD
CVSS 3.1
9.8
EPSS
19.9%
CVE-2021-38391 CRITICAL Act Now

A Blind SQL injection vulnerability exists in the /DataHandler/AM/AM_Handler.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Diaenergie
NVD
CVSS 3.1
9.8
EPSS
3.5%
CVE-2021-38390 CRITICAL Act Now

A Blind SQL injection vulnerability exists in the /DataHandler/HandlerEnergyType.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Diaenergie
NVD
CVSS 3.1
9.8
EPSS
19.8%
CVE-2021-32983 CRITICAL Act Now

A Blind SQL injection vulnerability exists in the /DataHandler/Handler_CFG.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Diaenergie
NVD
CVSS 3.1
9.8
EPSS
3.9%
CVE-2021-32967 CRITICAL Act Now

Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to add a new administrative user without being authenticated or authorized, which may allow the attacker to log in and use. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Diaenergie
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2021-32955 CRITICAL Act Now

Delta Electronics DIAEnergie Version 1.7.5 and prior allows unrestricted file uploads, which may allow an attacker to remotely execute code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload Diaenergie
NVD
CVSS 3.1
9.8
EPSS
37.3%
CVE-2021-27663 CRITICAL Act Now

A vulnerability in versions 10.1 through 10.5 of Johnson Controls CEM Systems AC2000 allows a remote attacker to access to the system without adequate authorization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Ac2000 Firmware
NVD
CVSS 3.1
9.8
EPSS
1.7%
CVE-2021-21741 CRITICAL Act Now

There is a command execution vulnerability in a ZTE conference management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Zte Zxv10 M910 Firmware
NVD
CVSS 3.1
9.8
EPSS
1.9%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy