Authorization bypass in OpenClaw versions prior to 2026.4.29 allows authenticated QQBot senders to modify streaming configuration without satisfying the intended allowFrom allowlist policy, when those entries lack non-wildcard restrictions. The flaw stems from missing identity verification on the QQBot streaming command path (CWE-290) and was reported by VulnCheck; no public exploit identified at time of analysis.
Identity header forgery in OpenClaw before 2026.5.18 allows local same-host callers with access to the proxy-facing Gateway port to spoof trusted-proxy identity headers and assume operator identity. The flaw stems from missing validation of headers normally set by an upstream trusted proxy, enabling privilege escalation when the Gateway port is reachable locally. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Code injection in Kitty terminal emulator versions prior to 0.47.3 allows attacker-controlled bytes - including newline characters - to be reflected back into the user's shell input via the OSC 21 (color-control) escape sequence query reply. An attacker who can cause arbitrary bytes to be written to the terminal (malicious file contents, SSH banner, log entry, web page) can inject and execute shell commands at the victim's privilege level. No public exploit identified at time of analysis, but the underlying class of terminal-escape-injection bugs is well documented and exploitation is straightforward once the unsanitized reply path is known.
Arbitrary file deletion in IEI Integration Corp's iVEC-IEI Virtualization Edge Computer (Tank-XM811 platform) allows authenticated remote attackers to delete arbitrary system files or directories via path traversal, leading to data destruction and service disruption. The flaw was reported through Taiwan's TWCERT coordination process and carries a CVSS 4.0 base score of 7.2 (High) driven by integrity and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary file write in GeoServer's Master Password Dump web page allows an authenticated administrator to write attacker-controlled content to any absolute filesystem path the GeoServer process can write to, including JSP files in a Tomcat webapps directory. Because GeoServer enforces no maximum master password length, an admin can embed malicious JSP code into the master password and dump it to an executable location, escalating to remote code execution on the host. No public exploit identified at time of analysis and the issue is not in CISA KEV.
Account takeover in Cap-go (Capgo) versions prior to 12.128.2 allows an attacker holding a temporary authenticated session to change the account's registered email address without re-authentication (no password or MFA prompt), then trigger a password reset to attacker-controlled inbox and seize the account. The flaw, reported by VulnCheck and tracked as a missing-authentication weakness (CWE-306), has a vendor patch but no public exploit identified at time of analysis.
Privilege escalation in phpBB allows an authenticated administrator with limited rights to grant themselves permissions beyond their authorized scope through the Administration Control Panel (ACP), enabling elevation to full administrative control over the forum. The flaw stems from improper verification of access permissions when permissions are modified via the ACP, and no public exploit identified at time of analysis. With CVSS 7.2 (PR:H) and no KEV listing, this is a meaningful but not panic-level risk that primarily threatens multi-admin phpBB deployments where administrative duties are intentionally segmented.
Privilege escalation in Mattermost collaboration platform allows authenticated users holding delegated user-management permissions to modify built-in system role permissions via the role patch API, bypassing a required system-level permission check. Affects Mattermost 10.11.x through 10.11.16, 11.5.x through 11.5.4, and 11.6.x through 11.6.1. No public exploit identified at time of analysis; EPSS is very low (0.03%) and the SSVC framework reports no observed exploitation.
Cross-user share-link deletion in File Browser (filebrowser/filebrowser v2 ≤ 2.63.5) lets a low-privileged authenticated user with create+delete permissions in their own isolated scope irrevocably wipe share-link records owned by any other account, including the administrator. Deleting a file whose logical path is a byte-prefix of another user's stored share.Link.Path triggers an unbounded prefix match that bypasses the per-user ownership check enforced everywhere else. There is no public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.02%, 5th percentile), but a vendor patch (v2.63.6) is available.
Discord role hierarchy bypass in Quest Bot (open-source Discord moderation bot) prior to version 1.1.6 allows moderators to perform privileged actions against users ranked above them in the server role hierarchy. Any moderator holding the relevant Discord permission bit can ban, kick, timeout, untimeout, warn, or rename higher-ranked members so long as the bot itself outranks the target. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Denial of service in Capgo Console versions prior to 12.28.2 allows an authenticated attacker to lock legitimate users out of authentication and onboarding flows by triggering account deletion while a device identifier is bound to the active session. The platform incorrectly persists the deletion state against the device identifier rather than the account, causing the affected browser or device to be redirected to an account-disabled page for roughly 30 days. No public exploit identified at time of analysis, but a vendor patch and GHSA advisory (GHSA-qmrm-qgwr-55jf) have been published following disclosure by VulnCheck.
Cross-site request forgery in MISP (Malware Information Sharing Platform) stems from the Security.check_sec_fetch_site_header control shipping disabled by default, leaving state-changing automation endpoints unprotected against browser-issued cross-origin requests. A remote attacker hosting a malicious page can coerce an authenticated MISP user's browser into submitting forged POST/PUT/AJAX requests that execute with the victim's privileges, enabling unauthorized data or configuration changes. No public exploit identified at time of analysis, and the issue is not in CISA KEV.
Arbitrary local file read in OpenClaw before 2026.4.7 lets authenticated Gateway operators holding the operator.write scope coerce the memory-wiki ingest feature into importing the contents of arbitrary local files. The flaw, reported by VulnCheck and tracked as GHSA-p2fh-f5fc-44hr, enables disclosure of sensitive host files (credentials, config, secrets) into wiki memory, but no public exploit identified at time of analysis and it is not listed in CISA KEV.
Arbitrary file write in Kitty terminal versions 0.47.0 and 0.47.1 allows a remote drag-and-drop source to overwrite files writable by the local kitty user via a TOCTOU symlink race in kitten dnd staging. The flaw stems from openat() calls lacking O_NOFOLLOW when handling duplicate remote basenames on case-sensitive filesystems, letting an attacker-staged symlink redirect writes outside the staging directory. No public exploit identified at time of analysis, and EPSS is very low (0.03%), though user interaction via drag-and-drop is the gating factor.
WiFi credential exposure in Naxclow IoT device firmware (Smart Doorbell X3, X Smart Home, V720, Ix Cam) allows any attacker with brief physical access to recover host network SSID, PSK, and negotiated WPA keys printed in cleartext to a labeled, production-accessible UART debug console. The UART interface drops to an unauthenticated interactive RT-Thread shell, enabling arbitrary memory reads and full firmware extraction - escalating a credential-theft opportunity into a platform for deeper firmware-level compromise. Reported via CISA ICS-CERT advisory ICSA-26-162-02; no public exploit code identified, though the attack requires only commodity serial hardware and minimal technical knowledge.
Path traversal in Kedro 1.2.0 allows authenticated local users to read or overwrite files outside of versioned dataset directories by supplying a crafted version string. The flaw resides in `_get_versioned_path()` (kedro/io/core.py) and is also reachable via the `--load-versions` CLI parameter, with downstream risk of data poisoning and cross-tenant data exposure in orchestrated pipelines. No public exploit identified at time of analysis, and the issue is not on CISA KEV.
Authorization bypass in Quest Bot Discord bot prior to version 1.1.6 lets low-privilege guild members invoke the purge and slowmode commands in channels where their channel-level permissions explicitly deny moderation. The bot only validates guild-wide permissions on the invoking member and ignores Discord's per-channel permission overrides, so a user excluded from moderating a specific channel can still delete messages and alter slowmode there. No public exploit identified at time of analysis, and the issue is patched in v1.1.6.
Disk encryption bypass in Moxa UC-1200A series industrial computers allows an attacker with invasive physical access to recover the LUKS disk encryption key by sniffing the SPI bus between the CPU and TPM2 chip. The flaw is an incomplete fix for CVE-2026-0714 - Moxa added TPM2 parameter encryption but misconfigured the authorization session so the encryption provides no real protection. No public exploit identified at time of analysis, and the CVSS 4.0 vector (AV:P) reflects that exploitation is bounded to attackers who can physically open the device.
Parse Server's operator-configured route firewall (`routeAllowList`) is bypassed in versions 9.8.0 through 9.9.1-alpha.3 when external clients POST to the `/batch` endpoint with sub-requests targeting routes the operator intended to block. The Express middleware enforcing the allow-list runs only against the outer HTTP request URL; the `/batch` handler dispatches each embedded sub-request to the internal router without re-running that check. Inner authorization controls - Parse authentication, ACL, and CLP - remain in effect, bounding actual data exposure to whatever those controls permit, but the route-level security boundary is defeated entirely. No public exploit has been identified and EPSS is 0.08%, though operators relying on `routeAllowList` as a primary access-control layer are directly and materially affected.
Unauthenticated relation membership disclosure in Parse Server allows any client holding only standard public API credentials to read objects linked through a Relation field that is explicitly hidden by protectedFields, or linked to a parent object that is inaccessible under its ACL or class-level permissions. By supplying only a known or guessed owning object's objectId, a remote unauthenticated caller can enumerate all objects in a protected relation or use the $relatedTo operator as a membership oracle - confirming whether a specific child object is privately linked to a given parent. This directly undermines applications that use Parse Server's access control primitives to protect sensitive relationships such as private group memberships, block lists, or account-to-resource associations. No public exploit identified at time of analysis; vendor-released patches exist at versions 8.6.80 and 9.9.1-alpha.6.
Arbitrary file read via path traversal in IEI Integration Corp's iVEC TANK-XM811 edge computing platform exposes sensitive system files to privileged remote attackers. The CVSS 4.0 vector (AV:N/PR:H/VC:H) confirms network-accessible exploitation requiring high-privilege credentials, with full confidentiality impact on the vulnerable system and no integrity or availability impact. No public exploit code or CISA KEV listing is identified at time of analysis; the vulnerability was reported by Taiwan CERT (TWCERT) and affects all known firmware versions per CPE wildcard.
Unauthenticated access to the `POST /openid/config` endpoint in Actual Budget sync-server versions <= 26.4.0 exposes the full OpenID Connect configuration-including the OAuth2 `client_secret`-to any caller who can supply the bootstrap password. Because the endpoint enforces no rate limiting, the bootstrap password itself is brute-forceable, compounding the exposure. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (11th percentile) reflects low current exploitation probability; however, internet-exposed instances with OIDC configured are at meaningful risk of credential harvesting.
Unauthorized camera and microphone access in Heptabase by Hepta Platforms is achievable by unauthenticated remote attackers who social-engineer a victim into opening a malicious webpage inside the application, exploiting an exposed dangerous method (CWE-749) that bypasses normal permission gating. The attack yields high confidentiality impact - real-time audio and video capture - with no privileges required on the attacker's side, constrained only by the need for active victim interaction. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, though the surveillance-class outcome makes it attractive for targeted campaigns.
Missing authorization checks on multiple Frappe framework endpoints allow remote unauthenticated attackers to access and modify resources without permission. All Frappe installations on the 15.x branch prior to 15.107.0 and the 16.x branch prior to 16.17.0 are affected. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% reflects minimal current exploitation activity, though the attack requires no credentials or special preconditions.
Unauthorized resource access in the Frappe web application framework exposes the submit_discussion() endpoint to unauthenticated network callers who can bypass access controls and write discussion data to resources they do not own. All Frappe deployments running versions prior to 15.107.0 (v15 branch) or 16.17.0 (v16 branch) are affected, with impact limited to low-severity integrity writes and no confidentiality or availability consequence. No public exploit code exists and EPSS probability is 0.03% (9th percentile), indicating low opportunistic exploitation pressure despite the unauthenticated network attack vector.
Stored XSS in Frappe's Report and List View components allows injection of persistent JavaScript payloads that execute in the browsers of any user who subsequently accesses the affected views. All Frappe deployments on the v15 branch prior to 15.107.2 and v16 branch prior to 16.17.4 are affected per the GitHub security advisory GHSA-rx63-c3fh-8926. No public exploit has been identified at time of analysis and the EPSS score of 0.02% (7th percentile) reflects low current exploitation probability, though the network-accessible nature of Frappe instances keeps this relevant for organizations running unpatched versions.
DB schema enumeration in Frappe (versions prior to 15.107.2 and 16.17.4) exposes internal database structure to unauthenticated remote attackers via a vulnerable endpoint. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or special conditions are required, making this accessible to any internet-facing instance. While limited to low confidentiality impact (VC:L) with no integrity or availability consequences, schema information can inform targeted follow-on attacks against the application's data layer. No public exploit has been identified at time of analysis, and EPSS of 0.02% (7th percentile) indicates low current exploitation probability.
Insecure Direct Object Reference (IDOR) in the Frappe full-stack web application framework exposes email configuration details of arbitrary users to any authenticated account. The flaw exists in versions prior to 15.107.0 (v15 branch) and 16.17.0 (v16 branch), allowing a low-privilege authenticated attacker to enumerate and read email settings belonging to other users by manipulating object references in requests. No public exploit has been identified and the issue is not listed in CISA KEV, though the low EPSS score (0.02%) and network-accessible vector warrant patching, particularly for multi-tenant Frappe deployments.
Stored cross-site scripting in Frappe's user profile image section enables script injection that executes in the browsers of any user who views the compromised profile. Affected versions are all Frappe releases prior to 15.106.0. No public exploit code or CISA KEV listing exists at time of analysis; EPSS of 0.02% (7th percentile) reflects low observed exploitation activity, though stored XSS in a shared framework carries inherent persistence risk across all applications built on Frappe.
Stored cross-site scripting in the Frappe framework's Note feature allows a low-privileged attacker to persist malicious JavaScript that executes in the browsers of users who subsequently view the poisoned note. All Frappe deployments on the v15 branch prior to 15.106.0 and the v16 branch prior to 16.16.0 are affected. No public exploit or CISA KEV listing exists at time of analysis; vendor-confirmed patches are available and should be applied promptly given the ease of exploitation once an attacker holds any valid user account.
Netty's HTTP/2 codec mishandles the SETTINGS_MAX_HEADER_LIST_SIZE client setting, enabling a denial-of-service attack functionally equivalent to HTTP/2 Rapid Reset (CVE-2023-44487) but with a distinct on-wire signature. Affected Netty versions prior to 4.1.135.Final and 4.2.15.Final fully process and proxy incoming requests to the origin before encountering an exception during response header serialization, consuming server resources without completing responses. No public exploit has been identified at time of analysis, and EPSS stands at 0.02% (5th percentile), though the attack technique parallels a well-documented catastrophic DDoS class.
SQL Injection in the Frappe full-stack web framework's get_blog_list function allows unauthenticated remote attackers to manipulate database queries, leading to limited data read and write access. Frappe versions prior to 15.106.0 (v15 branch) and 16.16.0 (v16 branch) are affected across all deployments that expose the blog module. No public exploit code has been identified and exploitation probability is very low per EPSS (0.02%), though the network-accessible, unauthenticated attack surface warrants prompt patching for internet-facing instances.
OpenClaw's bundled MCP loopback session-spawn path fails to enforce its exec denylist, allowing authenticated low-privilege callers to execute commands that should be restricted. Affected versions are all OpenClaw releases prior to 2026.5.12. An attacker with local, authenticated access can spawn MCP sessions through the loopback path to gain command reach exceeding their authorized scope, resulting in high integrity impact on the vulnerable system. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Path traversal in Discourse's backup download handler allows an authenticated administrator on one site within a multisite deployment to retrieve backup archives belonging to a co-hosted site on the same server. Backup files typically contain full database dumps, private messages, user credentials, and email addresses, making cross-site access a serious trust-boundary violation. No public exploit has been identified and EPSS sits at 0.04% (12th percentile), reflecting the narrow exploitation conditions; vendor-released patches are available across all affected release trains.
Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redirect OAuth2 callback URLs to attacker-controlled domains, enabling OAuth token theft and account takeover. The flaw resides in the getRedirectURL function (oauth2.go:22-29), which blindly concatenates the HTTP request's Host header with a fixed path when constructing the OAuth2 redirect URL, with no allowlisting or validation performed. A vendor-released patch exists in version 2.2.0; no public exploit has been identified at time of analysis and the vulnerability is not in the CISA KEV catalog.
Zip-slip path traversal in filebrowser v2.63.5 and earlier (Linux-hosted) allows any authenticated user with Create permission to plant a file whose name contains URL-encoded Windows-style backslash traversal sequences (`%5C`). The Linux server stores the file with a literal backslash in its name, which `filepath.ToSlash()` silently ignores, and the archive download handler emits that name verbatim into zip/tar central directories. When a Windows victim downloads and extracts the archive using Explorer, 7-Zip, WinRAR, or .NET `ZipFile.ExtractToDirectory`, the extractor interprets `\` as a path separator and writes files to arbitrary locations outside the extraction directory - enabling arbitrary file write on the victim's Windows machine. No public exploit identified at time of analysis beyond the full PoC published in the GHSA advisory; EPSS is 0.03% (8th percentile), consistent with the two-party, victim-interaction requirement.
Directory traversal in Allegra's exportReport method exposes arbitrary server-side files to authenticated remote attackers, operating in the context of the underlying service account. The flaw affects all tracked versions per the CPE wildcard (cpe:2.3:a:allegra:allegra:*), with Alltena's 9.0.0 release notes referencing the fix. No public exploit code or CISA KEV listing has been identified at time of analysis, and no EPSS data was provided, but the CVSS 6.5 rating reflects a meaningful confidentiality risk for any internet-facing Allegra deployment where user accounts may be broadly provisioned.
{"$gt": ""}`) to be interpreted as query logic rather than literal values. No public exploit is independently catalogued (KEV not listed), but a proof-of-concept TypeScript payload is included in the vendor advisory, and EPSS sits at 0.03% (8th percentile), indicating low observed exploitation activity at time of analysis.
Out-of-bounds heap write in QEMU's virtio-blk device allows a high-privileged guest to crash the host QEMU process. The flaw exists because the virtio-blk device omits validation of input descriptor sizes prior to writing data, enabling a malicious guest operator to submit a crafted virtio-blk SCSI request that writes beyond the allocated host heap buffer. The primary confirmed impact is a denial of service (DoS) of the QEMU process on the host; no public exploit code has been identified at time of analysis and it is not listed in the CISA KEV catalog.
Unauthenticated denial-of-service in File Browser (filebrowser/filebrowser) versions <= 2.63.5 allows remote attackers to exhaust CPU and memory by submitting arbitrarily large passwords to the public /api/login endpoint, which are then passed unchecked into the bcrypt-style CheckPwd hashing routine. Publicly available exploit code exists in the GitHub advisory PoC, and concurrent abuse can crash the container and even destabilize the host Docker daemon. EPSS is low (0.04%) and the issue is not in CISA KEV, but the trivial AV:N/AC:L/PR:N exploitation profile makes it a real availability risk for any internet-exposed instance.
Unbounded WebSocket stream allocation in Nezha Monitoring versions 1.0.0 through 2.1.x allows any authenticated dashboard user to exhaust server memory and crash the monitoring service. The two affected endpoints - POST /api/v1/terminal and POST /api/v1/file - each insert a long-lived ioStreamContext into a global Go map with no per-user rate limit, no global semaphore, and no per-server connection cap, making repeated calls a trivial denial-of-service vector. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV; the vendor released a patch in version 2.2.0.
Remote cluster authentication token disclosure in Mattermost's Secure Connections feature allows authenticated users holding the manage_secure_connections permission to retrieve plaintext inter-cluster credentials via a crafted PATCH request. Affected deployments span versions 10.11.x through 10.11.15, 11.5.x through 11.5.4, and 11.6.x through 11.6.1, with a CVSS-rated High confidentiality impact (6.5). No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but successful exploitation could undermine the trust model of federated multi-cluster deployments.
Nezha Monitoring versions 2.0.14 through 2.1.0 (exclusive) allows any authenticated user to exploit the NAT-based Host claiming mechanism to preempt all dashboard routing, resulting in complete availability loss for the monitoring platform. The vulnerability stems from CWE-284 (Improper Access Control) - the application fails to properly restrict which authenticated principals may register or override a dashboard Host identity via NAT traversal. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Discourse group owners can retrieve plaintext SMTP credentials - including passwords, usernames, server, port, and SSL mode - from the group history log endpoint (/groups/:name/logs.json), affecting versions 2026.1.0-latest through pre-2026.1.4, 2026.3.0-latest through pre-2026.3.1, and 2026.4.0-latest through pre-2026.4.1. An authenticated group owner who holds no admin or moderator privileges can harvest the exposed SMTP password and use it to send mail impersonating the group's email identity from any external mail client, entirely bypassing Discourse's own sending controls. No public exploit code exists and this vulnerability is not listed in CISA KEV; the EPSS score of 0.03% at the 11th percentile reflects the narrow, configuration-dependent attack surface.
Broken authorization in the Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) allows any valid developer token to operate against arbitrary user accounts, breaking tenant isolation across the platform. Discovered and disclosed by runZero, the issue stems from missing authorization checks (CWE-862) and, when chained with CVE-2026-50082/50083/50085, enables fully unauthenticated remote takeover of affected smart-home devices. No public exploit identified at time of analysis, though a related researcher repository is referenced in the advisory.
Blind SQL injection in Fleet MDM's Apple MDM commands endpoint allows authenticated Observer-role users to exfiltrate sensitive database column values - including host enrollment secrets, node_key, orbit_node_key, and APNS tokens - via a cursor-based binary search oracle. The `GET /api/v1/fleet/mdm/apple/commands` endpoint accepted an unsanitized `order_key` parameter injected directly into an SQL ORDER BY clause without column validation, exposing all columns on the joined `hosts` and `nano_enrollments` tables. Extracted node_key values enable full host impersonation against Fleet's osquery and Orbit endpoints, making the effective impact materially higher than the 6.5 CVSS base score implies. No public exploit has been identified at time of analysis; vendor-released patch is available in Fleet 4.84.2.
{id}/hosts accepts the attacker-controlled order_key parameter without column allowlist validation, enabling character-by-character secret reconstruction without secrets ever appearing in response bodies. No public exploit has been identified at time of analysis and no CISA KEV listing was provided, but the attack is deterministic and scriptable against any Fleet deployment where Observer role is broadly granted.
Authentication bypass in Related Marketing Cloud (RMC) by Hedef Media Promotion Interactive Media Marketing Inc. exposes unauthenticated remote attackers to credential brute-forcing via a spoofing weakness (CWE-290), allowing them to circumvent authentication controls without prior access. All RMC versions through 12052026 are affected, and the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no privileges, no user interaction, and no special network positioning. No public exploit code or CISA KEV listing has been identified at time of analysis; the advisory originates from TR-CERT via the Turkish national cybersecurity authority.
Stored XSS in the Presto Player WordPress plugin (versions ≤ 4.2.0) lets authenticated contributors persist arbitrary JavaScript payloads by supplying a javascript: URI as the link_url parameter of the [presto_player_overlay] shortcode. The getOverlays() function in Shortcodes.php copies the attribute into overlay configuration without scheme validation, causing the URI to survive into the href attribute rendered by the presto-dynamic-overlay-ui Stencil.js web component; any visitor who loads the injected page triggers execution. No public exploit or CISA KEV listing has been identified at time of analysis, but the low attack complexity within the contributor-access constraint makes this a realistic risk on multi-author or membership-based WordPress installations.
Incorrect authorization in Nezha Monitoring's DDNS profile subsystem allows an authenticated low-privilege member to pre-populate their server record with nonexistent DDNS profile IDs, then hijack any future victim-owned DDNS profile whose auto-assigned ID collides with a pre-stored value. Affected versions span 2.0.14 through pre-2.1.0 of the self-hosted nezhahq/nezha platform. When the collision occurs, the DDNS worker dispatches DNS updates on behalf of the attacker's server using the victim's DDNS provider credentials and configuration, achieving cross-tenant DNS manipulation and disrupting the victim's legitimate DDNS service. No public exploit identified at time of analysis; vendor-released patch available in version 2.1.0.