Skip to main content
CVE-2021-40444 HIGH POC KEV PATCH THREAT Act Now

Windows MSHTML component contains a remote code execution vulnerability that allows attackers to craft malicious ActiveX controls in Office documents, exploited as a zero-day in targeted attacks before the September 2021 patch.

Windows
NVD
CVSS 3.1
8.8
EPSS
94.3%
Threat
9.6
CVE-2021-38647 CRITICAL POC KEV PATCH THREAT Act Now

Open Management Infrastructure Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Azure Automation State Configuration Azure Automation Update Management Azure Diagnostics Lad Azure Open Management Infrastructure +6
NVD
CVSS 3.1
9.8
EPSS
99.7%
CVE-2021-38648 HIGH POC KEV PATCH THREAT Act Now

Open Management Infrastructure Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Information Disclosure Azure Automation State Configuration Azure Automation Update Management Azure Diagnostics Lad Azure Open Management Infrastructure +6
NVD
CVSS 3.1
7.8
EPSS
11.4%
CVE-2021-33690 CRITICAL POC PATCH THREAT Act Now

Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50The SAP. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure SSRF SAP Netweaver Development Infrastructure
NVD
CVSS 3.1
9.9
EPSS
67.7%
CVE-2021-40881 CRITICAL POC Act Now

An issue in the BAT file parameters of PublicCMS v4.0 allows attackers to execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Publiccms
NVD GitHub
CVSS 3.1
9.8
EPSS
1.6%
CVE-2021-33045 CRITICAL POC KEV THREAT Act Now

The identity authentication bypass vulnerability found in some Dahua products during the login process. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Dahua Authentication Bypass Ipc Hum7Xxx Firmware Ipc Hx3Xxx Firmware Ipc Hx5Xxx Firmware +15
NVD
CVSS 3.1
9.8
EPSS
99.6%
CVE-2021-33044 CRITICAL POC KEV THREAT Act Now

The identity authentication bypass vulnerability found in some Dahua products during the login process. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Dahua Authentication Bypass Ipc Hum7Xxx Firmware Ipc Hx3Xxx Firmware Ipc Hx5Xxx Firmware +16
NVD
CVSS 3.1
9.8
EPSS
99.9%
CVE-2021-3797 CRITICAL POC PATCH Act Now

hestiacp is vulnerable to Use of Wrong Operator in String Comparison. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Control Panel
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2021-3751 CRITICAL POC PATCH Act Now

libmobi is vulnerable to Out-of-bounds Write. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Memory Corruption Libmobi
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2021-33701 CRITICAL POC Act Now

DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105,. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi SAP Dmis S4core Sapscore
NVD
CVSS 3.1
9.1
EPSS
2.1%
CVE-2021-40845 HIGH POC This Week

The web part of Zenitel AlphaCom XE Audio Server through 11.2.3.10, called AlphaWeb XE, does not restrict file upload in the Custom Scripts section at php/index.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Alphacom Xe Audio Server
NVD GitHub
CVSS 3.1
8.8
EPSS
4.7%
CVE-2016-20012 MEDIUM POC PATCH THREAT This Month

OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 14.6%.

SSH Information Disclosure Openssh Clustered Data Ontap Hci Management Node +2
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
14.6%
CVE-2021-30137 HIGH POC This Week

Assyst 10 SP7.5 has authenticated XXE leading to SSRF via XML unmarshalling. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF XXE Assyst
NVD GitHub
CVSS 3.1
8.2
EPSS
0.8%
CVE-2021-21798 HIGH POC THREAT This Week

An exploitable return of stack variable address vulnerability exists in the JavaScript implementation of Nitro Pro PDF. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Nitro Pro
NVD
CVSS 3.1
7.8
EPSS
16.1%
CVE-2021-3778 HIGH POC PATCH This Week

vim is vulnerable to Heap-based Buffer Overflow. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Heap Overflow Vim Fedora Debian Linux +1
NVD GitHub
CVSS 3.1
7.8
EPSS
1.7%
CVE-2021-40639 HIGH POC This Week

Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Jfinal Cms
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
1.4%
CVE-2021-3795 HIGH POC PATCH This Week

semver-regex is vulnerable to Inefficient Regular Expression Complexity. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Semver Regex
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2021-3794 HIGH POC PATCH This Week

vuelidate is vulnerable to Inefficient Regular Expression Complexity. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Vuelidate
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2021-3777 HIGH POC PATCH This Week

nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Tmpl
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2021-3706 HIGH POC PATCH This Week

adminlte is vulnerable to Sensitive Cookie Without 'HttpOnly' Flag. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Web Interface
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2021-3796 HIGH POC PATCH This Week

vim is vulnerable to Use After Free. Rated high severity (CVSS 7.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Use After Free Denial Of Service Memory Corruption Vim Fedora +2
NVD GitHub
CVSS 3.1
7.3
EPSS
1.7%
CVE-2021-40964 MEDIUM POC This Month

A Path Traversal vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload a file (with Admin credentials or with the CSRF vulnerability) with the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Path Traversal Tiny File Manager
NVD GitHub Exploit-DB
CVSS 3.1
6.5
EPSS
8.2%
CVE-2021-3801 MEDIUM POC PATCH This Month

prism is vulnerable to Inefficient Regular Expression Complexity. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Prism
NVD GitHub
CVSS 3.1
6.5
EPSS
1.0%
CVE-2021-39307 MEDIUM POC This Month

PDFTron's WebViewer UI 8.0 or below renders dangerous URLs as hyperlinks in supported documents, including JavaScript URLs, allowing the execution of arbitrary JavaScript code. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Webviewer Ui
NVD
CVSS 3.1
6.1
EPSS
1.1%
CVE-2021-3780 MEDIUM POC PATCH This Month

peertube is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Peertube
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-37913 CRITICAL Act Now

The HGiga OAKlouds mobile portal does not filter special characters of the IPv6 Gateway parameter of the network interface card setting page. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Oaklouds Portal
NVD
CVSS 3.1
9.8
EPSS
2.8%
CVE-2021-37912 CRITICAL Act Now

The HGiga OAKlouds mobile portal does not filter special characters of the Ethernet number parameter of the network interface card setting page. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Oaklouds Portal
NVD
CVSS 3.1
9.8
EPSS
2.8%
CVE-2021-37909 CRITICAL Act Now

WriteRegistry function in TSSServiSign component does not filter and verify users’ input, remote attackers can rewrite to the registry without permissions thus perform hijack attacks to execute. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Tssservisignadapter
NVD
CVSS 3.1
9.8
EPSS
2.0%
CVE-2021-39392 CRITICAL Act Now

The management tool in MyLittleBackup up to and including 1.7 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Mylittlebackup
NVD GitHub
CVSS 3.1
9.8
EPSS
2.3%
CVE-2021-41061 MEDIUM POC This Month

In RIOT-OS 2021.01, nonce reuse in 802.15.4 encryption in the ieee820154_security component allows attackers to break encryption by triggering reboots. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Riot
NVD GitHub
CVSS 3.1
5.5
EPSS
0.2%
CVE-2021-28901 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities exist in SITA Software Azur CMS 1.2.3.1 and earlier, which allows remote attackers to inject arbitrary web script or HTML via the (1) NOM_CLI , (2). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Azurcms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.8%
CVE-2021-38156 MEDIUM POC THREAT This Month

In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a dashboard. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Nagios Xi
NVD
CVSS 3.1
5.4
EPSS
88.9%
CVE-2021-3785 MEDIUM POC PATCH This Month

yourls is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Yourls
NVD GitHub
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-39211 MEDIUM POC This Month

GLPI is a free Asset and IT management software package. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Information Disclosure Glpi
NVD GitHub
CVSS 3.1
5.3
EPSS
4.7%
CVE-2021-33695 CRITICAL PATCH Act Now

Potentially, SAP Cloud Connector, version - 2.0 communication with the backend is accepted without sufficient validation of the certificate. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure SAP Cloud Connector
NVD
CVSS 3.1
9.1
EPSS
0.6%
CVE-2021-40862 HIGH This Week

HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to authenticated parties, which could be used for privilege escalation or. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Privilege Escalation Information Disclosure Terraform Enterprise
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-33704 HIGH PATCH This Week

The Service Layer of SAP Business One, version - 10.0, allows an authenticated attacker to invoke certain functions that would otherwise be restricted to specific users. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

SAP Authentication Bypass Business One
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2021-33698 HIGH PATCH This Week

SAP Business One, version - 10.0, allows an attacker with business authorization to upload any files (including script files) without the proper file format validation. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

SAP File Upload Business One
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2021-40965 HIGH This Week

A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Tiny File Manager
NVD GitHub
CVSS 3.1
8.8
EPSS
0.6%
CVE-2021-39213 HIGH This Week

GLPI is a free Asset and IT management software package. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Glpi
NVD GitHub
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-39209 HIGH This Week

GLPI is a free Asset and IT management software package. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Glpi
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2021-36965 HIGH PATCH This Week

Windows WLAN AutoConfig Service Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity.

Microsoft RCE Windows 10 Windows 7 Windows 8 1 +6
NVD
CVSS 3.1
8.8
EPSS
4.2%
CVE-2021-36954 HIGH PATCH This Week

Windows Bind Filter Driver Elevation of Privilege Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Microsoft Privilege Escalation Windows 10 Windows Server 2016 Windows Server 2019 +1
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2021-22149 HIGH This Week

Elastic Enterprise Search App Search versions before 7.14.0 are vulnerable to an issue where API keys were missing authorization via an alternate route. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure Enterprise Search
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-22148 HIGH This Week

Elastic Enterprise Search App Search versions before 7.14.0 was vulnerable to an issue where API keys were not bound to the same engines as their creator. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Authentication Bypass Enterprise Search
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-33705 HIGH PATCH This Week

The SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SSRF SAP Netweaver Portal
NVD
CVSS 3.1
8.1
EPSS
2.1%
CVE-2021-27662 HIGH This Week

The KT-1 door controller is susceptible to replay or man-in-the-middle attacks where an attacker can record and replay TCP packets.01. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Kantech Kt 1 Door Controller Firmware
NVD
CVSS 3.1
8.1
EPSS
0.8%
CVE-2021-26435 HIGH PATCH This Week

Windows Scripting Engine Memory Corruption Vulnerability. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Buffer Overflow Microsoft Memory Corruption Windows 10 Windows 7 +7
NVD
CVSS 3.1
8.1
EPSS
4.8%
CVE-2021-36967 HIGH PATCH This Week

Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is no authentication required, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Microsoft Privilege Escalation Windows 10 Windows Server 2016 Windows Server 2019
NVD
CVSS 3.1
8.0
EPSS
0.8%
CVE-2021-33700 HIGH PATCH This Week

SAP Business One, version - 10.0, allows a local attacker with access to the victim's browser under certain circumstances, to login as the victim without knowing his/her password. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Information Disclosure SAP Business One
NVD
CVSS 3.1
7.8
EPSS
0.2%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy