Skip to main content
CVE-2021-23448 CRITICAL POC Act Now

All versions of package config-handler are vulnerable to Prototype Pollution when loading config files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Prototype Pollution Information Disclosure Config Handler
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2021-40617 CRITICAL POC Act Now

An SQL Injection vulnerability exists in openSIS Community Edition version 8.0 via ForgotPassUserName.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Opensis
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
5.2%
CVE-2021-40239 CRITICAL POC Act Now

A Buffer Overflow vulnerability exists in the latest version of Miniftpd in the do_retr function in ftpproto.c. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Miniftpd
NVD GitHub
CVSS 3.1
9.8
EPSS
1.4%
CVE-2021-40543 CRITICAL POC Act Now

Opensis-Classic Version 8.0 is affected by a SQL injection vulnerability due to a lack of sanitization of input data at two parameters $_GET['usrid'] and $_GET['prof_id'] in the PasswordCheck.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Opensis
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2021-40887 CRITICAL POC Act Now

Projectsend version r1295 is affected by a directory traversal vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal Projectsend
NVD GitHub
CVSS 3.1
9.8
EPSS
2.3%
CVE-2021-40889 CRITICAL POC Act Now

CMSUno version 1.7.2 is affected by a PHP code execution vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection Cmsuno
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
CVE-2021-42139 CRITICAL POC Act Now

Deno Standard Modules before 0.107.0 allows Code Injection via an untrusted YAML file in certain configurations. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Deno Standard Modules
NVD GitHub
CVSS 3.1
9.8
EPSS
2.0%
CVE-2021-29004 HIGH POC This Week

rConfig 3.9.6 is affected by SQL Injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Rconfig
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
2.1%
CVE-2021-29005 HIGH POC This Week

Insecure permission of chmod command on rConfig server 3.9.6 exists. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Apache Rconfig
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
1.8%
CVE-2021-41117 CRITICAL POC PATCH Act Now

keypair is a a RSA PEM key generator written in javascript. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Keypair
NVD GitHub
CVSS 3.1
9.1
EPSS
3.0%
CVE-2021-39317 HIGH POC PATCH This Week

A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to malicious file uploads via the plugin_offline_installer AJAX action due to a missing capability check. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress PHP Authentication Bypass Access Demo Importer Accesspress Lite +41
NVD
CVSS 3.1
8.8
EPSS
1.7%
CVE-2021-24711 HIGH POC This Week

The del_reistered_domains AJAX action of the Software License Manager WordPress plugin before 4.5.1 does not have any CSRF checks, and is vulnerable to a CSRF attack. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Software License Manager
NVD WPScan
CVSS 3.1
8.8
EPSS
0.7%
CVE-2021-24546 HIGH POC This Week

The Gutenberg Block Editor Toolkit - EditorsKit WordPress plugin before 1.31.6 does not sanitise and validate the Conditional Logic of the Custom Visibility settings, allowing users with a role as. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress RCE PHP Code Injection Editorskit
NVD WPScan
CVSS 3.1
8.8
EPSS
1.8%
CVE-2021-40884 HIGH POC This Week

Projectsend version r1295 is affected by sensitive information disclosure. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Authentication Bypass Projectsend
NVD GitHub
CVSS 3.1
8.1
EPSS
0.9%
CVE-2021-29006 MEDIUM POC This Month

rConfig 3.9.6 is affected by a Local File Disclosure vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Rconfig
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
7.0%
CVE-2021-42260 HIGH POC This Week

TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp in tinyxmlparser.cpp via the TIXML_UTF_LEAD_0 case. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Tinyxml Debian Linux
NVD
CVSS 3.1
7.5
EPSS
3.1%
CVE-2021-24651 HIGH POC This Week

The Poll Maker WordPress plugin before 3.4.2 allows unauthenticated users to perform SQL injection via the ays_finish_poll AJAX action. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Poll Maker
NVD WPScan
CVSS 3.1
7.5
EPSS
1.6%
CVE-2021-41055 HIGH POC This Week

Gajim 1.2.x and 1.3.x before 1.3.3 allows remote attackers to cause a denial of service (crash) via a crafted XMPP Last Message Correction (XEP-0308) message in multi-user chat, where the message ID. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Gajim
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2021-40189 HIGH POC This Week

PHPFusion 9.03.110 is affected by a remote code execution vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Phpfusion
NVD GitHub
CVSS 3.1
7.2
EPSS
1.7%
CVE-2021-40188 HIGH POC This Week

PHPFusion 9.03.110 is affected by an arbitrary file upload vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Phpfusion
NVD GitHub
CVSS 3.1
7.2
EPSS
1.3%
CVE-2021-20122 HIGH POC This Week

The Telus Wi-Fi Hub (PRV65B444A-S-TS) with firmware version 3.00.20 is affected by an authenticated command injection vulnerability in multiple parameters passed to tr69_cmd.cgi. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Prv65B444A S Ts Firmware
NVD
CVSS 3.1
7.2
EPSS
6.5%
CVE-2021-42257 HIGH POC This Week

check_smart before 6.9.1 allows unintended drive access by an unprivileged user because it only checks for a substring match of a device path (the /dev/bus substring and a number), aka an unanchored. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Check Smart
NVD
CVSS 3.1
7.1
EPSS
0.4%
CVE-2021-22263 MEDIUM POC This Month

An issue has been discovered in GitLab affecting all versions starting from 13.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Gitlab
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2021-40886 MEDIUM POC This Month

Projectsend version r1295 is affected by a directory traversal vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Projectsend
NVD GitHub
CVSS 3.1
6.5
EPSS
1.4%
CVE-2021-40541 MEDIUM POC This Month

PHPFusion 9.03.110 is affected by cross-site scripting (XSS) in the preg patterns filter html tag without "//" in descript() function An authenticated user can trigger XSS by appending "//" in the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Phpfusion
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-40542 MEDIUM POC This Month

Opensis-Classic Version 8.0 is affected by cross-site scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Opensis
NVD GitHub
CVSS 3.1
6.1
EPSS
3.0%
CVE-2021-24719 MEDIUM POC This Month

The Enfold Enfold WordPress theme before 4.8.4 was vulnerable to Reflected Cross-Site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Enfold
NVD WPScan Exploit-DB
CVSS 3.1
6.1
EPSS
3.0%
CVE-2021-24563 MEDIUM POC THREAT This Month

The Frontend Uploader WordPress plugin through 1.3.2 does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Frontend Uploader
NVD WPScan Exploit-DB
CVSS 3.1
6.1
EPSS
26.4%
CVE-2021-41798 MEDIUM POC This Month

MediaWiki before 1.36.2 allows XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Mediawiki Fedora
NVD
CVSS 3.1
6.1
EPSS
1.3%
CVE-2021-26588 CRITICAL Act Now

A potential security vulnerability has been identified in HPE 3PAR StoreServ, HPE Primera Storage and HPE Alletra 9000 Storage array firmware. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure 3Par Os Primera 630 Firmware Primera 650 Firmware Primera 670 Firmware +2
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2021-37123 CRITICAL Act Now

There is an improper authentication vulnerability in Hero-CT060 before 1.0.0.200. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Hero Ct060 Firmware
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2021-27664 CRITICAL Act Now

Under certain configurations an unauthenticated remote user could be given access to credentials stored in the exacqVision Server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Exacqvision Web Service
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2021-40191 MEDIUM POC This Month

Dzzoffice Version 2.02.1 is affected by cross-site scripting (XSS) due to a lack of sanitization of input data at all upload functions in webroot/dzz/attach/Uploader.class.php and return a wrong. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Dzzoffice
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2021-40888 MEDIUM POC This Month

Projectsend version r1295 is affected by Cross Site Scripting (XSS) due to lack of sanitization when echo output data in returnFilesIds() function. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Projectsend
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24720 MEDIUM POC PATCH This Month

The GeoDirectory Business Directory WordPress plugin before 2.1.1.3 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress XSS Geodirectory
NVD GitHub WPScan
CVSS 3.1
5.4
EPSS
0.9%
CVE-2021-24712 MEDIUM POC This Month

The Appointment Hour Booking WordPress plugin before 1.3.17 does not properly sanitize values used when creating new calendars. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Appointment Hour Booking
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24690 MEDIUM POC This Month

The Chained Quiz WordPress plugin before 1.2.7.2 does not properly sanitize or escape inputs in the plugin's settings. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Chained Quiz
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24683 MEDIUM POC This Month

The Weather Effect WordPress plugin before 1.3.4 does not have any CSRF checks in place when saving its settings, and do not validate or escape them, which could lead to Stored Cross-Site Scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress XSS Weather Effect
NVD WPScan
CVSS 3.1
5.4
EPSS
0.4%
CVE-2021-24577 MEDIUM POC This Month

The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not properly sanitize inputs submitted by authenticated users when setting adding or modifying coming soon or maintenance mode. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Coming Soon And Maintenance Mode
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24576 MEDIUM POC This Month

The Easy Accordion WordPress plugin before 2.0.22 does not properly sanitize inputs when adding new items to an accordion. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Easy Accordion
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24545 MEDIUM POC This Month

The WP HTML Author Bio WordPress plugin through 1.2.0 does not sanitise the HTML allowed in the Bio of users, allowing them to use malicious JavaScript code, which will be executed when anyone visit. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation WordPress XSS Wp Html Author Bio
NVD WPScan
CVSS 3.1
5.4
EPSS
1.8%
CVE-2021-24737 MEDIUM POC This Month

The Comments - wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow high privilege users. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wpdiscuz
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24709 MEDIUM POC This Month

The Weather Effect WordPress plugin before 1.3.6 does not properly validate and escape some of its settings (like *_size_leaf, *_flakes_leaf, *_speed) which could lead to Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Weather Effect
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24691 MEDIUM POC This Month

The Quiz And Survey Master WordPress plugin before 7.3.2 does not escape the Quiz Url Slug setting before outputting it in some pages, which could allow high privilege users to perform Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Quiz And Survey Master
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24681 MEDIUM POC This Month

The Duplicate Page WordPress plugin through 4.4.2 does not sanitise or escape the Duplicate Post Suffix settings before outputting it, which could allow high privilege users to perform Stored. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Duplicate Page
NVD WPScan
CVSS 3.1
4.8
EPSS
0.9%
CVE-2021-24656 MEDIUM POC This Month

The Simple Social Media Share Buttons WordPress plugin before 3.2.4 does not escape the Share Title settings before outputting it in the frontend pages or posts (depending on the settings used),. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Simple Social Buttons
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-41801 HIGH PATCH This Week

The ReplaceText extension through 1.41 for MediaWiki has Incorrect Access Control. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Mediawiki
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2021-42135 HIGH PATCH This Week

HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google Privilege Escalation Hashicorp Vault
NVD
CVSS 3.1
8.1
EPSS
0.8%
CVE-2021-20121 MEDIUM POC This Month

The Telus Wi-Fi Hub (PRV65B444A-S-TS) with firmware version 3.00.20 is vulnerable to an authenticated arbitrary file read. Rated medium severity (CVSS 4.0). Public exploit code available and no vendor patch available.

Information Disclosure Prv65B444A S Ts Firmware
NVD
CVSS 3.1
4.0
EPSS
0.5%
CVE-2021-42252 HIGH PATCH This Week

An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel before 5.14.6. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Linux Information Disclosure Linux Kernel H300s Firmware H500s Firmware +7
NVD
CVSS 3.1
7.8
EPSS
0.4%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy