Skip to main content
CVE-2021-44228 CRITICAL POC KEV PATCH THREAT Act Now

Apache Log4j2 contains a critical JNDI injection vulnerability known as 'Log4Shell' that allows unauthenticated remote code execution through crafted log messages, affecting virtually every Java application on Earth and triggering the largest vulnerability remediation effort in history.

NVD GitHub Exploit-DB
CVSS 3.1
10.0
EPSS
94.4%
Threat
9.8
CVE-2021-23700 CRITICAL POC Act Now

All versions of package merge-deep2 are vulnerable to Prototype Pollution via the mergeDeep() function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Prototype Pollution Information Disclosure Merge Deep2
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2021-23663 CRITICAL POC Act Now

All versions of package sey are vulnerable to Prototype Pollution via the deepmerge() function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Prototype Pollution Information Disclosure Sey
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2021-23639 CRITICAL POC PATCH Act Now

The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execution (RCE) due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Markdown To Pdf
NVD GitHub
CVSS 3.1
9.8
EPSS
5.3%
CVE-2021-23561 CRITICAL POC Act Now

All versions of package comb are vulnerable to Prototype Pollution via the deepMerge() function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Prototype Pollution Information Disclosure Comb
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2021-27983 CRITICAL POC Act Now

Remote Code Execution (RCE) vulnerability exists in MaxSite CMS v107.5 via the Documents page. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Maxsite Cms
NVD GitHub
CVSS 3.1
9.8
EPSS
3.5%
CVE-2021-31746 CRITICAL POC Act Now

Zip Slip vulnerability in Pluck-CMS Pluck 4.7.15 allows an attacker to upload specially crafted zip files, resulting in directory traversal and potentially arbitrary code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal Pluck
NVD GitHub
CVSS 3.1
9.8
EPSS
2.4%
CVE-2021-37934 CRITICAL POC Act Now

Due to insufficient server-side login-attempt limit enforcement, a vulnerability in /account/login in Huntflow Enterprise before 3.10.14 could allow an unauthenticated, remote user to perform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Huntflow Enterprise
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2021-23463 CRITICAL POC PATCH Act Now

The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE H2
NVD GitHub
CVSS 3.1
9.1
EPSS
3.3%
CVE-2021-35978 CRITICAL Act Now

An issue was discovered in Digi TransPort DR64, SR44 VC74, and WR. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Command Injection Transport Dr64 Firmware Transport Sr44 Firmware Transport Vc74 Firmware +6
NVD
CVSS 3.1
9.8
EPSS
3.6%
CVE-2021-38917 CRITICAL Act Now

IBM PowerVM Hypervisor FW860, FW940, and FW950 could allow an attacker that gains service access to the FSP can read and write arbitrary host system memory through a series of carefully crafted. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM Information Disclosure Powervm Hypervisor
NVD
CVSS 3.1
9.1
EPSS
1.5%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy