Skip to main content
CVE-2021-44077 CRITICAL POC KEV PATCH THREAT Act Now

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Zoho Authentication Bypass Manageengine Servicedesk Plus Manageengine Servicedesk Plus Msp +1
NVD
CVSS 3.1
9.8
EPSS
93.5%
CVE-2021-44427 CRITICAL POC PATCH THREAT Act Now

An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) before 8.1.1 allows remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi PostgreSQL Rosariosis
NVD
CVSS 3.1
9.8
EPSS
50.6%
CVE-2021-43691 CRITICAL POC Act Now

tripexpress v1.1 is affected by a path manipulation vulnerability in file system/helpers/dompdf/load_font.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal Tripexpress
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2021-43693 CRITICAL POC Act Now

vesta 0.9.8-24 is affected by a file inclusion vulnerability in file web/add/user/index.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Vesta Control Panel
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2021-24915 CRITICAL POC THREAT Act Now

The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Contest Gallery
NVD GitHub WPScan
CVSS 3.1
9.8
EPSS
12.7%
CVE-2019-8922 HIGH POC This Week

A heap-based buffer overflow was discovered in bluetoothd in BlueZ through 5.48. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Bluez Debian Linux
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2021-24755 HIGH POC This Week

The myCred WordPress plugin before 2.3 does not validate or escape the fields parameter before using it in a SQL statement, leading to an SQL injection exploitable by any authenticated user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Mycred
NVD WPScan
CVSS 3.1
8.8
EPSS
1.3%
CVE-2021-24748 HIGH POC This Week

The Email Before Download WordPress plugin before 6.8 does not properly validate and escape the order and orderby GET parameters before using them in SQL statements, leading to authenticated SQL. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Email Before Download
NVD WPScan
CVSS 3.1
8.8
EPSS
1.3%
CVE-2021-44429 HIGH POC This Week

Serva 4.4.0 allows remote attackers to cause a denial of service (daemon crash) via a TFTP read (RRQ) request, aka opcode 1, a related issue to CVE-2013-0145. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Denial Of Service Serva
NVD
CVSS 3.1
7.5
EPSS
1.9%
CVE-2021-44428 HIGH POC This Week

Pinkie 2.15 allows remote attackers to cause a denial of service (daemon crash) via a TFTP read (RRQ) request, aka opcode 1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Denial Of Service Pinkie
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
2.9%
CVE-2021-43786 HIGH POC PATCH This Week

Nodebb is an open source Node.js based forum software. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Authentication Bypass Nodebb
NVD GitHub
CVSS 3.1
7.5
EPSS
2.3%
CVE-2021-38283 HIGH POC This Week

Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read application log files containing sensitive information via a predictable /log URI. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Holmes
NVD
CVSS 3.1
7.5
EPSS
2.4%
CVE-2021-38147 HIGH POC THREAT This Week

Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to download arbitrary files, such as reports containing sensitive information, because authentication is not required for. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Holmes
NVD
CVSS 3.1
7.5
EPSS
53.0%
CVE-2021-24889 HIGH POC This Week

The Ninja Forms Contact Form WordPress plugin before 3.6.4 does not escape keys of the fields POST parameter, which could allow high privilege users to perform SQL injections attacks. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Ninja Forms
NVD WPScan
CVSS 3.1
7.2
EPSS
1.3%
CVE-2021-24860 HIGH POC This Week

The BSK PDF Manager WordPress plugin before 3.1.2 does not validate and escape the orderby and order parameters before using them in a SQL statement, leading to a SQL injection issue. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Bsk Pdf Manager
NVD WPScan
CVSS 3.1
7.2
EPSS
1.3%
CVE-2019-8921 MEDIUM POC This Month

An issue was discovered in bluetoothd in BlueZ through 5.48. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Bluez Debian Linux
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2021-43787 MEDIUM POC PATCH This Month

Nodebb is an open source Node.js based forum software. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Path Traversal XSS Nodebb
NVD GitHub
CVSS 3.1
6.1
EPSS
1.3%
CVE-2021-43692 MEDIUM POC This Month

youtube-php-mirroring (last update Jun 9, 2017) is affected by a Cross Site Scripting (XSS) vulnerability in file ytproxy/index.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Youtube Php Mirroring
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-43695 MEDIUM POC This Month

issabelPBX version 2.11 is affected by a Cross Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Pbx
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-43697 MEDIUM POC This Month

Workerman-ThinkPHP-Redis (last update Mar 16, 2018) is affected by a Cross Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Redis PHP XSS Workerman Thinkphp Redis
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-43696 MEDIUM POC This Month

twmap v2.91_v4.33 is affected by a Cross Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Twmap
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-43698 MEDIUM POC This Month

phpWhois (last update Jun 30 2021) is affected by a Cross Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Phpwhois
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-24908 MEDIUM POC This Month

The Check & Log Email WordPress plugin before 1.0.4 does not escape the d parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Check Log Email
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-24876 MEDIUM POC This Month

The Registrations for the Events Calendar WordPress plugin before 2.7.5 does not escape the v parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Registrations For The Events Calendar
NVD WPScan
CVSS 3.1
6.1
EPSS
1.2%
CVE-2021-24927 MEDIUM POC This Month

The My Calendar WordPress plugin before 3.2.18 does not sanitise and escape the callback parameter of the mc_post_lookup AJAX action (available to any authenticated user) before outputting it back in. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS My Calendar
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24918 MEDIUM POC This Month

The Smash Balloon Social Post Feed WordPress plugin before 4.0.1 did not have any privilege or nonce validation before saving the plugin's setting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Smash Balloon Social Post Feed
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-24842 MEDIUM POC This Month

The Bulk Datetime Change WordPress plugin before 1.12 does not enforce capability checks which allows users with Contributor roles to 1) list private post titles of other users and 2) change the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Bulk Datetime Change
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-24822 MEDIUM POC This Month

The Stylish Cost Calculator WordPress plugin before 7.0.4 does not have any authorisation and CSRF checks on some of its AJAX actions (available to authenticated users), which could allow any. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress XSS Stylish Cost Calculator
NVD WPScan
CVSS 3.1
5.4
EPSS
0.3%
CVE-2021-24751 MEDIUM POC This Month

The GenerateBlocks WordPress plugin before 1.4.0 does not validate the generateblocks/container block's tagName attribute, which could allow users with a role as low as contributor to perform. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Generateblocks
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24745 MEDIUM POC This Month

The About Author Box WordPress plugin before 1.0.2 does not sanitise and escape the Social Profiles field values before outputting them in attributes, which could allow user with a role as low as. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS About Author Box
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-21707 MEDIUM POC PATCH THREAT This Month

In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP Information Disclosure Clustered Data Ontap Debian Linux Tenable Sc
NVD
CVSS 3.1
5.3
EPSS
26.0%
CVE-2021-43788 MEDIUM POC PATCH THREAT This Month

Nodebb is an open source Node.js based forum software. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Node.js Path Traversal Nodebb
NVD GitHub
CVSS 3.1
5.0
EPSS
25.8%
CVE-2021-42364 HIGH This Week

The Stetic WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the stats_page function found in the ~/stetic.php file, which made it possible for. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress PHP Stetic
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2021-42358 HIGH This Week

The Contact Form With Captcha WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation in the ~/cfwc-form.php file during contact form submission, which made it. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress PHP Contact Form With Captcha
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2021-24899 MEDIUM POC This Month

The Media-Tags WordPress plugin through 3.2.0.2 does not sanitise and escape any of its Labels settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Media Tags
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24811 MEDIUM POC This Month

The Shop Page WP WordPress plugin before 1.2.8 does not sanitise and escape some of the Product fields, allowing high privilege users to perform Cross-Site Scripting attacks even when the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Shop Page Wp
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24768 MEDIUM POC This Month

The WP RSS Aggregator WordPress plugin before 4.19.2 does not properly sanitise and escape the URL to Blacklist field, allowing malicious HTML to be inserted by high privilege users even when the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Rss Aggregator
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-43783 HIGH PATCH This Week

@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Backstage
NVD GitHub
CVSS 3.1
8.5
EPSS
1.2%
CVE-2021-24749 MEDIUM POC This Month

The URL Shortify WordPress plugin before 1.5.1 does not have CSRF check in place when bulk-deleting links or groups, which could allow attackers to make a logged in admin delete arbitrary link and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Url Shortify
NVD WPScan
CVSS 3.1
4.3
EPSS
0.4%
CVE-2021-3802 MEDIUM POC PATCH This Month

A vulnerability found in udisks2. Rated medium severity (CVSS 4.2), this vulnerability is low attack complexity. Public exploit code available.

Information Disclosure Udisks Fedora Enterprise Linux
NVD
CVSS 3.1
4.2
EPSS
0.8%
CVE-2021-44198 HIGH PATCH This Week

DLL hijacking could lead to local privilege escalation. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Microsoft Privilege Escalation Cyber Protect
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2021-34800 HIGH PATCH This Week

Sensitive information could be logged. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apple Microsoft Information Disclosure Agent
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2021-39995 MEDIUM This Month

Some Huawei products use the OpenHpi software for hardware management. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Huawei Denial Of Service Information Disclosure Ecns280 Td Firmware +1
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2021-44201 MEDIUM PATCH This Month

Cross-site scripting (XSS) was possible in notification pop-ups. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft XSS Cyber Protect
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-44199 MEDIUM PATCH This Month

DLL hijacking could lead to denial of service. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.

Microsoft Denial Of Service Agent Cyber Protect Cyber Protect Home Office
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2021-44203 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) was possible in protection plan details. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Microsoft XSS Cyber Protect
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2021-44202 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) was possible in activity details. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Microsoft XSS Cyber Protect
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2021-44200 MEDIUM PATCH This Month

Self cross-site scripting (XSS) was possible on devices page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Microsoft XSS Cyber Protect
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2021-24883 MEDIUM This Month

The Popup Anything WordPress plugin before 2.0.4 does not escape the Link Text and Button Text fields of Popup, which could allow users with a role as low as Contributor to perform Cross-Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Popup Anything
NVD WPScan
CVSS 3.1
5.4
EPSS
0.8%
CVE-2021-32061 MEDIUM PATCH This Month

S3Scanner before 2.0.2 allows Directory Traversal via a crafted bucket, as demonstrated by a <Key>../ substring in a ListBucketResult element. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal S3Scanner
NVD GitHub
CVSS 3.1
5.3
EPSS
1.6%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy