Skip to main content
CVE-2021-23449 CRITICAL POC PATCH Act Now

This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Prototype Pollution RCE Vm2
NVD GitHub
CVSS 3.1
10.0
EPSS
3.5%
CVE-2021-42576 CRITICAL POC PATCH Act Now

The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Information Disclosure Bluemonday Pybluemonday
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2021-42575 CRITICAL POC PATCH Act Now

The OWASP Java HTML Sanitizer before 20211018.1 does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Java Java Html Sanitizer Middleware Common Libraries And Tools Primavera Unifier
NVD
CVSS 3.1
9.8
EPSS
2.8%
CVE-2021-24684 HIGH POC This Week

The WordPress PDF Light Viewer Plugin WordPress plugin before 1.4.12 allows users with Author roles to execute arbitrary OS command on the server via OS Command Injection when invoking Ghostscript. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Command Injection Pdf Light Viewer
NVD WPScan
CVSS 3.1
8.8
EPSS
4.3%
CVE-2021-21797 HIGH POC THREAT This Week

An exploitable double-free vulnerability exists in the JavaScript implementation of Nitro Pro PDF. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Nitro Pro
NVD
CVSS 3.1
7.8
EPSS
15.0%
CVE-2021-21796 HIGH POC THREAT This Week

An exploitable use-after-free vulnerability exists in the JavaScript implementation of Nitro Pro PDF. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free RCE Memory Corruption Nitro Pro
NVD
CVSS 3.1
7.8
EPSS
15.8%
CVE-2021-36513 HIGH POC This Week

An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may allow attackers to view sensitive information due to an uninitialized value. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Freeswitch
NVD GitHub
CVSS 3.1
7.5
EPSS
1.8%
CVE-2021-24754 HIGH POC This Week

The MainWP Child Reports WordPress plugin before 2.0.8 does not validate or sanitise the order parameter before using it in a SQL statement in the admin dashboard, leading to an SQL injection issue. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Mainwp Child Reports
NVD WPScan
CVSS 3.1
7.2
EPSS
1.3%
CVE-2021-24735 MEDIUM POC This Month

The Compact WP Audio Player WordPress plugin before 1.9.7 does not implement nonce checks, which could allow attackers to make a logged in admin change the "Disable Simultaneous Play" setting via a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Compact Wp Audio Player
NVD WPScan
CVSS 3.1
6.5
EPSS
0.6%
CVE-2021-24675 MEDIUM POC This Month

The One User Avatar WordPress plugin before 2.3.7 does not check for CSRF when updating the Avatar in page where the [avatar_upload] shortcode is embed. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress One User Avatar
NVD WPScan
CVSS 3.1
6.5
EPSS
0.6%
CVE-2021-24642 MEDIUM POC This Month

The Scroll Baner WordPress plugin through 1.0 does not have CSRF check in place when saving its settings, nor perform any sanitisation, escaping or validation on them. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress XSS File Upload Scroll Banner
NVD WPScan
CVSS 3.1
6.5
EPSS
0.6%
CVE-2021-42566 MEDIUM POC This Month

myfactory.FMS before 7.1-912 allows XSS via the Error parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Fms
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
5.8%
CVE-2021-42565 MEDIUM POC This Month

myfactory.FMS before 7.1-912 allows XSS via the UID parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Fms
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
5.8%
CVE-2021-41153 CRITICAL PATCH Act Now

The evm crate is a pure Rust implementation of Ethereum Virtual Machine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Evm
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2021-38389 CRITICAL Act Now

Advantech WebAccess versions 9.02 and prior are vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Stack Overflow Webaccess
NVD
CVSS 3.1
9.8
EPSS
10.4%
CVE-2021-33023 CRITICAL Act Now

Advantech WebAccess versions 9.02 and prior are vulnerable to a heap-based buffer overflow, which may allow an attacker to remotely execute code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Heap Overflow Webaccess
NVD
CVSS 3.1
9.8
EPSS
2.2%
CVE-2021-22961 CRITICAL Act Now

A code injection vulnerability exists within the firewall software of GlassWire v2.1.167 that could lead to arbitrary code execution from a file in the user path on first execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Glasswire
NVD
CVSS 3.1
9.8
EPSS
1.7%
CVE-2021-38297 CRITICAL PATCH Act Now

Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Go Fedora
NVD
CVSS 3.1
9.8
EPSS
10.3%
CVE-2021-24752 MEDIUM POC This Month

Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Authentication Bypass Catch Scroll Progress Bar Catch Sticky Menu +8
NVD WPScan
CVSS 3.1
5.7
EPSS
0.4%
CVE-2021-24760 MEDIUM POC This Month

The Gutenberg PDF Viewer Block WordPress plugin before 1.0.1 does not sanitise and escape its block, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Pdf Viewer Block For Gutenberg
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24743 MEDIUM POC This Month

The Podcast Subscribe Buttons WordPress plugin before 1.4.2 allows users with any role capable of editing or adding posts to perform stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Podcast Subscribe Buttons
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24734 MEDIUM POC This Month

The Compact WP Audio Player WordPress plugin before 1.9.7 does not escape some of its shortcodes attributes, which could allow users with a role as low as Contributor to perform Stored Cross-Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Compact Wp Audio Player
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24732 MEDIUM POC This Month

The PDF Flipbook, 3D Flipbook WordPress - DearFlip WordPress plugin before 1.7.10 does not escape the class attribute of its shortcode before outputting it back in an attribute, which could allow. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Dearflip
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24672 MEDIUM POC This Month

The One User Avatar WordPress plugin before 2.3.7 does not escape the link and target attributes of its shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS One User Avatar
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24413 MEDIUM POC This Month

The Easy Twitter Feed WordPress plugin before 1.2 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Easy Twitter Feed
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24412 MEDIUM POC This Month

The Html5 Audio Player - Audio Player for WordPress plugin before 2.1.3 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Html5 Audio Player
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24677 MEDIUM POC This Month

The Find My Blocks WordPress plugin before 3.4.0 does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Find My Blocks
NVD WPScan
CVSS 3.1
5.3
EPSS
1.2%
CVE-2021-41155 HIGH PATCH This Week

Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi Tuleap
NVD GitHub
CVSS 3.1
8.8
EPSS
1.5%
CVE-2021-41154 HIGH PATCH This Week

Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi Tuleap
NVD GitHub
CVSS 3.1
8.8
EPSS
1.5%
CVE-2021-41971 HIGH PATCH This Week

Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allowed SQL injection when a malicious authenticated user sends an http request with. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Apache Superset
NVD
CVSS 3.1
8.8
EPSS
1.7%
CVE-2021-42098 HIGH This Week

An incomplete permission check on entries in Devolutions Remote Desktop Manager before 2021.2.16 allows attackers to bypass permissions via batch custom PowerShell. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Remote Desktop Manager
NVD
CVSS 3.1
8.8
EPSS
1.6%
CVE-2021-24740 MEDIUM POC This Month

The Tutor LMS WordPress plugin before 1.9.9 does not escape some of its settings before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Tutor Lms
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24736 MEDIUM POC This Month

The Easy Download Manager and File Sharing Plugin with frontend file upload - a better Media Library - Shared Files WordPress plugin before 1.6.57 does not sanitise and escape some of its settings. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS File Upload Shared Files
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24702 MEDIUM POC This Month

The LearnPress WordPress plugin before 4.1.3.1 does not properly sanitize or escape various inputs within course settings, which could allow high privilege users to perform Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Learnpress
NVD WPScan
CVSS 3.1
4.8
EPSS
0.7%
CVE-2021-24622 MEDIUM POC This Month

The Customer Service Software & Support Ticket System WordPress plugin before 5.10.4 does not sanitize or escape form fields before outputting it in the List, which could allow high privilege users. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Customer Service Software Support Ticket System
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24612 MEDIUM POC This Month

The Sociable WordPress plugin through 4.3.4.1 does not sanitise or escape some of its settings before outputting them in the admins dashboard, allowing high privilege users to perform Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Sociable
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24516 MEDIUM POC This Month

The PlanSo Forms WordPress plugin through 2.6.3 does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Planso Forms
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-38442 HIGH This Week

FATEK Automation WinProladder versions 3.30 and prior lacks proper validation of user-supplied data when parsing project files, which could result in a heap-corruption condition. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Winproladder
NVD
CVSS 3.1
7.8
EPSS
0.9%
CVE-2021-38438 HIGH This Week

A use after free vulnerability in FATEK Automation WinProladder versions 3.30 and prior may be exploited when a valid user opens a malformed project file, which may allow arbitrary code execution. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Use After Free Denial Of Service RCE Memory Corruption Winproladder
NVD
CVSS 3.1
7.8
EPSS
1.0%
CVE-2021-38436 HIGH This Week

FATEK Automation WinProladder versions 3.30 and prior lacks proper validation of user-supplied data when parsing project files, which could result in a memory-corruption condition. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Winproladder
NVD
CVSS 3.1
7.8
EPSS
0.9%
CVE-2021-38434 HIGH This Week

FATEK Automation WinProladder versions 3.30 and prior lacks proper validation of user-supplied data when parsing project files, which could result in an unexpected sign extension. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Winproladder
NVD
CVSS 3.1
7.8
EPSS
0.9%
CVE-2021-38430 HIGH This Week

FATEK Automation WinProladder versions 3.30 and prior proper validation of user-supplied data when parsing project files, which could result in a stack-based buffer overflow. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Stack Overflow Winproladder
NVD
CVSS 3.1
7.8
EPSS
1.0%
CVE-2021-38426 HIGH This Week

FATEK Automation WinProladder versions 3.30 and prior lacks proper validation of user-supplied data when parsing project files, which could result in an out-of-bounds write. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption Winproladder
NVD
CVSS 3.1
7.8
EPSS
0.9%
CVE-2021-41152 HIGH PATCH This Week

OpenOlat is a web-based e-learning platform for teaching, learning, assessment and communication, an LMS, a learning management system. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Openolat
NVD GitHub
CVSS 3.1
7.7
EPSS
1.2%
CVE-2021-41991 HIGH PATCH This Week

The in-memory certificate cache in strongSwan before 5.9.4 has a remote integer overflow upon receiving many requests with different certificates to fill the cache and later trigger the replacement. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Integer Overflow RCE Strongswan Debian Linux Fedora +22
NVD GitHub
CVSS 3.1
7.5
EPSS
4.8%
CVE-2021-41990 HIGH This Week

The gmp plugin in strongSwan before 5.9.4 has a remote integer overflow via a crafted certificate with an RSASSA-PSS signature. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Integer Overflow RCE Strongswan Debian Linux Fedora +17
NVD GitHub
CVSS 3.1
7.5
EPSS
6.5%
CVE-2021-41611 HIGH PATCH This Week

An issue was discovered in Squid 5.0.6 through 5.1.x before 5.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Squid Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
2.9%
CVE-2021-38562 HIGH PATCH This Week

Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a timing attack against lib/RT/REST2/Middleware/Auth.pm. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Request Tracker Fedora Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2021-42055 MEDIUM This Month

ASUSTek ZenBook Pro Due 15 UX582 laptop firmware through 203 has Insecure Permissions that allow attacks by a physically proximate attacker. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Ux582Lr Firmware
NVD
CVSS 3.1
6.8
EPSS
0.2%
CVE-2021-24595 MEDIUM This Month

The Wp Cookie Choice WordPress plugin through 1.1.0 is lacking any CSRF check when saving its options, and do not escape them when outputting them in attributes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress XSS Wp Cookie Choice
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy