Skip to main content
CVE-2021-36260 CRITICAL POC KEV THREAT Emergency

A command injection vulnerability in the web server of some Hikvision product. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Hikvision Command Injection Ds 2Cd2026G2 Iu Sl Firmware Ds 2Cd2046G2 Iu Sl Firmware Ds 2Cd2066G2 I U Firmware +252
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
99.9%
CVE-2021-38112 HIGH POC This Week

In the Amazon AWS WorkSpaces client 3.0.10 through 3.1.8 on Windows, argument injection in the workspaces:// URI handler can lead to remote code execution because of the Chromium Embedded Framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google Microsoft RCE Aws Workspaces
NVD
CVSS 3.1
8.8
EPSS
6.5%
CVE-2021-40875 HIGH POC THREAT This Week

Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Testrail
NVD GitHub Exploit-DB
CVSS 3.1
7.5
EPSS
48.4%
CVE-2021-41382 HIGH POC This Week

Plastic SCM before 10.0.16.5622 mishandles the WebAdmin server management interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Plastic Scm
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
8.9%
CVE-2021-34647 MEDIUM POC PATCH This Month

The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress PHP Information Disclosure Authentication Bypass Ninja Forms
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2021-37927 CRITICAL Act Now

Zoho ManageEngine ADManager Plus version 7110 and prior allows account takeover via SSO. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Information Disclosure Jwt Attack Manageengine Admanager Plus
NVD
CVSS 3.1
9.8
EPSS
2.2%
CVE-2021-37925 CRITICAL Act Now

Zoho ManageEngine ADManager Plus version 7110 and prior has a Post-Auth OS command injection vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Command Injection Manageengine Admanager Plus
NVD
CVSS 3.1
9.8
EPSS
10.5%
CVE-2021-31819 CRITICAL PATCH Act Now

In Halibut versions prior to 4.4.7 there is a deserialisation vulnerability that could allow remote code execution on systems that already trust each other based on certificate verification. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Halibut
NVD
CVSS 3.1
9.8
EPSS
2.3%
CVE-2021-40684 CRITICAL PATCH Act Now

Talend ESB Runtime in all versions from 5.1 to 7.3.1-R2021-09, 7.2.1-R2021-09, 7.1.1-R2021-09, has an unauthenticated Jolokia HTTP endpoint which allows remote access to the JMX of the runtime. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Esb Runtime
NVD
CVSS 3.1
9.1
EPSS
1.1%
CVE-2021-39404 MEDIUM POC This Month

MaianAffiliate v1.0 allows an authenticated administrative user to save an XSS to the database. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Maianaffiliate
NVD GitHub
CVSS 3.1
4.8
EPSS
0.5%
CVE-2021-34648 MEDIUM POC PATCH This Month

The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/includes/Routes/Submissions.php file, in versions up to and including. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress PHP Authentication Bypass Ninja Forms
NVD
CVSS 3.1
4.3
EPSS
0.6%
CVE-2021-21991 HIGH PATCH This Week

The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Privilege Escalation VMware Cloud Foundation Vcenter Server
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2021-31847 HIGH This Week

Improper access control vulnerability in the repair process for McAfee Agent for Windows prior to 5.7.4 could allow a local attacker to perform a DLL preloading attack using unsigned DLLs. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Microsoft Privilege Escalation RCE Agent
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2021-41011 HIGH This Week

LINE client for iOS before 11.15.0 might expose authentication information for a certain service to external entities under certain conditions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Information Disclosure Line
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2021-31841 HIGH This Week

A DLL sideloading vulnerability in McAfee Agent for Windows prior to 5.7.4 could allow a local user to perform a DLL sideloading attack with an unsigned DLL with a specific name and in a specific. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

RCE Microsoft Jwt Attack Mcafee Agent
NVD
CVSS 3.1
7.3
EPSS
0.2%
CVE-2021-31836 HIGH This Week

Improper privilege management vulnerability in maconfig for McAfee Agent for Windows prior to 5.7.4 allows a local user to gain access to sensitive information. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Privilege Escalation Mcafee Agent
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2021-3583 HIGH PATCH This Week

A flaw was found in Ansible, where a user's controller is vulnerable to template injection. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Command Injection Ansible Automation Platform Ansible Engine Ansible Tower
NVD
CVSS 3.1
7.1
EPSS
0.9%
CVE-2021-21992 MEDIUM This Month

The vCenter Server contains a denial-of-service vulnerability due to improper XML entity parsing. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure VMware Cloud Foundation Vcenter Server
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-37860 MEDIUM PATCH This Month

Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mattermost XSS
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-38153 MEDIUM PATCH This Month

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Apache Information Disclosure Kafka Quarkus Communications Brm Elastic Charging Engine +5
NVD
CVSS 3.1
5.9
EPSS
5.8%
CVE-2021-39339 MEDIUM This Month

The Telefication WordPress plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress PHP SSRF Telefication
NVD
CVSS 3.1
5.3
EPSS
1.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy