Skip to main content
CVE-2021-21954 CRITICAL POC Act Now

A command execution vulnerability exists in the wifi_country_code_update functionality of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Eufy Homebase 2 Firmware
NVD
CVSS 3.1
9.9
EPSS
2.4%
CVE-2021-43703 CRITICAL POC Act Now

An Incorrect Access Control vulnerability exists in zzcms less than or equal to 2019 via admin.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Zzcms
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
CVE-2021-41695 CRITICAL POC Act Now

An SQL Injection vulnerability exists in Premiumdatingscript 4.2.7.7 via the ip parameter in connect.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Premiumdatingscript
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2021-41694 CRITICAL POC Act Now

An Incorrect Access Control vulnerability exists in Premiumdatingscript 4.2.7.7 via the password change procedure in requests\user.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Premiumdatingscript
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2021-3817 CRITICAL POC PATCH THREAT Act Now

wbce_cms is vulnerable to Improper Neutralization of Special Elements used in an SQL Command. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi Wbce Cms
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
37.8%
CVE-2021-40282 HIGH POC This Week

An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, abd 2021 in dl/dl_download.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Zzcms
NVD GitHub
CVSS 3.1
8.8
EPSS
1.1%
CVE-2021-40281 HIGH POC This Week

An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 in dl/dl_print.php when registering ordinary users. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Zzcms
NVD GitHub
CVSS 3.1
8.8
EPSS
1.1%
CVE-2021-20144 HIGH POC This Week

An unauthenticated command injection vulnerability exists in the parameters of operation 49 in the controller_server service on Gryphon Tower routers. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Gryphon Tower Firmware
NVD
CVSS 3.1
8.8
EPSS
3.7%
CVE-2021-20143 HIGH POC This Week

An unauthenticated command injection vulnerability exists in the parameters of operation 48 in the controller_server service on Gryphon Tower routers. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Gryphon Tower Firmware
NVD
CVSS 3.1
8.8
EPSS
3.7%
CVE-2021-20142 HIGH POC This Week

An unauthenticated command injection vulnerability exists in the parameters of operation 41 in the controller_server service on Gryphon Tower routers. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Gryphon Tower Firmware
NVD
CVSS 3.1
8.8
EPSS
3.7%
CVE-2021-20141 HIGH POC This Week

An unauthenticated command injection vulnerability exists in the parameters of operation 32 in the controller_server service on Gryphon Tower routers. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Gryphon Tower Firmware
NVD
CVSS 3.1
8.8
EPSS
3.7%
CVE-2021-20140 HIGH POC This Week

An unauthenticated command injection vulnerability exists in the parameters of operation 10 in the controller_server service on Gryphon Tower routers. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Gryphon Tower Firmware
NVD
CVSS 3.1
8.8
EPSS
4.0%
CVE-2021-20139 HIGH POC This Week

An unauthenticated command injection vulnerability exists in the parameters of operation 3 in the controller_server service on Gryphon Tower routers. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Gryphon Tower Firmware
NVD
CVSS 3.1
8.8
EPSS
4.0%
CVE-2021-20138 HIGH POC This Week

An unauthenticated command injection vulnerability exists in multiple parameters in the Gryphon Tower router’s web interface at /cgi-bin/luci/rc. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Gryphon Tower Firmware
NVD
CVSS 3.1
8.8
EPSS
3.7%
CVE-2021-43065 HIGH POC This Week

A incorrect permission assignment for critical resource in Fortinet FortiNAC version 9.2.0, version 9.1.3 and below, version 8.8.9 and below allows attacker to gain higher privileges via the access. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Fortinet Information Disclosure Fortinac
NVD GitHub
CVSS 3.1
7.8
EPSS
0.4%
CVE-2021-21955 HIGH POC This Week

An authentication bypass vulnerability exists in the get_aes_key_info_by_packetid() function of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Eufy Homebase 2 Firmware
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2021-20145 HIGH POC This Week

Gryphon Tower routers contain an unprotected openvpn configuration file which can grant attackers access to the Gryphon homebound VPN network which exposes the LAN interfaces of other users' devices. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Gryphon Tower Firmware
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2021-40280 HIGH POC This Week

An SQL Injection vulnerablitly exits in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/dl_sendmail.php. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Zzcms
NVD GitHub
CVSS 3.1
7.2
EPSS
1.1%
CVE-2021-40279 HIGH POC This Week

An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/bad.php. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Zzcms
NVD GitHub
CVSS 3.1
7.2
EPSS
1.1%
CVE-2021-4033 MEDIUM POC PATCH This Month

kimai2 is vulnerable to Cross-Site Request Forgery (CSRF). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Kimai 2
NVD GitHub
CVSS 3.1
6.5
EPSS
0.5%
CVE-2021-41696 MEDIUM POC This Month

An authentication bypass (account takeover) vulnerability exists in Premiumdatingscript 4.2.7.7 due to a weak password reset mechanism in requests\user.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Brute Force Authentication Bypass Premiumdatingscript
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-41697 MEDIUM POC This Month

A reflected Cross Site Scripting (XSS) vulnerability exists in Premiumdatingscript 4.2.7.7 via the aerror_description parameter in assets/sources/instagram.php script. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Premiumdatingscript
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2021-20137 MEDIUM POC This Month

A reflected cross-site scripting vulnerability exists in the url parameter of the /cgi-bin/luci/site_access/ page on the Gryphon Tower router's web interface. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Gryphon Tower Firmware
NVD
CVSS 3.1
6.1
EPSS
2.6%
CVE-2021-44514 CRITICAL Act Now

OpUtils in Zoho ManageEngine OpManager 12.5 before 125490 mishandles authentication for a few audit directories. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Opmanager
NVD
CVSS 3.1
9.8
EPSS
5.4%
CVE-2021-43608 CRITICAL PATCH Act Now

Doctrine DBAL 3.x before 3.1.4 allows SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi Database Abstraction Layer
NVD GitHub
CVSS 3.1
9.8
EPSS
2.4%
CVE-2021-20146 CRITICAL Act Now

An unprotected ssh private key exists on the Gryphon devices which could be used to achieve root access to a server affiliated with Gryphon's development and infrastructure. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Gryphon Tower Firmware
NVD
CVSS 3.1
9.8
EPSS
2.0%
CVE-2021-43802 HIGH PATCH This Week

Etherpad is a real-time collaborative editor. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Etherpad
NVD GitHub
CVSS 3.1
8.8
EPSS
2.0%
CVE-2021-41265 HIGH PATCH This Week

Flask-AppBuilder is a development framework built on top of Flask. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Python Authentication Bypass Flask Appbuilder
NVD GitHub
CVSS 3.1
8.8
EPSS
1.2%
CVE-2021-22568 HIGH PATCH This Week

When using the dart pub publish command to publish a package to a third-party package server, the request would be authenticated with an oauth2 access_token that is valid for publishing on pub.dev. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Dart Software Development Kit
NVD GitHub
CVSS 3.1
8.8
EPSS
0.9%
CVE-2021-41246 HIGH PATCH This Week

Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Session Fixation Express Openid Connect
NVD GitHub
CVSS 3.1
8.8
EPSS
0.9%
CVE-2021-43071 HIGH PATCH This Week

A heap-based buffer overflow in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to execute unauthorized code or commands via crafted HTTP. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Buffer Overflow Memory Corruption Fortinet Fortiweb
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2021-36194 HIGH PATCH This Week

Multiple stack-based buffer overflows in the API controllers of FortiWeb 6.4.1, 6.4.0, and 6.3.0 through 6.3.15 may allow an authenticated attacker to achieve arbitrary code execution via specially. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Buffer Overflow RCE Memory Corruption Fortinet Fortiweb
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2021-29678 HIGH This Week

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a user with DBADM authority to access other databases and read or modify files. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Microsoft Authentication Bypass Db2 Oncommand Insight
NVD
CVSS 3.1
8.7
EPSS
1.1%
CVE-2021-43068 HIGH PATCH This Week

A improper authentication in Fortinet FortiAuthenticator version 6.4.0 allows user to bypass the second factor of authentication via a RADIUS login portal. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Fortinet Authentication Bypass Fortiauthenticator
NVD
CVSS 3.1
8.1
EPSS
0.6%
CVE-2021-43982 HIGH This Week

Delta Electronics CNCSoft Versions 1.01.30 and prior are vulnerable to a stack-based buffer overflow, which may allow an attacker to execute arbitrary code. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Stack Overflow Cncsoft
NVD
CVSS 3.1
7.8
EPSS
9.6%
CVE-2021-37861 HIGH This Week

Mattermost 6.0.2 and earlier fails to sufficiently sanitize user's password in audit logs when user creation fails. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mattermost Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2021-39002 HIGH This Week

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM Microsoft Information Disclosure Db2 Oncommand Insight
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2021-38951 HIGH This Week

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by sending a specially-crafted request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM Denial Of Service Websphere Application Server
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2021-20373 HIGH PATCH This Week

IBM Db2 9.7, 10.1, 10.5, 11.1, and 11.5 may be vulnerable to an Information Disclosure when using the LOAD utility as under certain circumstances the LOAD utility does not enforce directory. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Information Disclosure Db2
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2021-41449 HIGH This Week

A path traversal attack in web interfaces of Netgear RAX35, RAX38, and RAX40 routers before v1.0.4.102, allows a remote unauthenticated attacker to gain access to sensitive restricted information,. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Netgear Path Traversal Rax35 Firmware Rax38 Firmware Rax40 Firmware
NVD VulDB
CVSS 3.1
7.1
EPSS
1.7%
CVE-2021-42759 MEDIUM This Month

A violation of secure design principles in Fortinet Meru AP version 8.6.1 and below, version 8.5.5 and below allows attacker to execute unauthorized code or commands via crafted cli commands. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Fortinet Command Injection Meru Firmware
NVD
CVSS 3.1
6.7
EPSS
0.3%
CVE-2021-43797 MEDIUM PATCH This Month

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Netty Quarkus Oncommand Workflow Automation +15
NVD GitHub
CVSS 3.1
6.5
EPSS
2.7%
CVE-2021-38931 MEDIUM This Month

IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1, and 11.5 is vulnerable to an information disclosure as a result of a connected user having indirect read access to a table. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Microsoft Information Disclosure Db2 Oncommand Insight
NVD
CVSS 3.1
6.5
EPSS
1.2%
CVE-2021-22565 MEDIUM PATCH This Month

An attacker could prematurely expire a verification code, making it unusable by the patient, making the patient unable to upload their TEKs to generate exposure notifications. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Exposure Notification Verification Server
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2021-38926 MEDIUM This Month

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local user to gain privileges due to allowing modification of columns of existing. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

IBM Microsoft Information Disclosure Db2 Oncommand Insight
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2021-36167 MEDIUM PATCH This Month

An improper authorization vulnerabiltiy [CWE-285] in FortiClient Windows versions 7.0.0 and 6.4.6 and below and 6.2.8 and below may allow an unauthenticated attacker to bypass the webfilter control. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft Fortinet Authentication Bypass Forticlient
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2021-43410 MEDIUM This Month

Apache Airavata Django Portal allows CRLF log injection because of lack of escaping log statements. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Apache Python Airavata Django Portal
NVD
CVSS 3.1
5.3
EPSS
2.4%
CVE-2021-36189 MEDIUM PATCH This Month

A missing encryption of sensitive data in Fortinet FortiClientEMS version 7.0.1 and below, version 6.4.4 and below allows attacker to information disclosure via inspecting browser decrypted data. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.

Fortinet Information Disclosure Forticlient Enterprise Management Server
NVD
CVSS 3.1
4.9
EPSS
0.4%
CVE-2021-4038 MEDIUM This Month

Cross Site Scripting (XSS) vulnerability in McAfee Network Security Manager (NSM) prior to 10.1 Minor 7 allows a remote authenticated administrator to embed a XSS in the administrator interface via. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Network Security Manager
NVD
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-43204 MEDIUM PATCH This Month

A improper control of a resource through its lifetime in Fortinet FortiClientWindows version 6.4.1 and 6.4.0, version 6.2.9 and below, version 6.0.10 and below allows attacker to cause a complete. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity.

Denial Of Service Fortinet Forticlient
NVD
CVSS 3.1
4.4
EPSS
0.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy