CVEs from 2021
Total
6,258
critical
critical 272
high
high 976
medium
medium 1,141
low
low 135
% Critical
4.3%
% with KEV
3.4%
% with exploit
3.4%
Top products
- office 13
- 365_apps 6
- office_long_term_servicing_channel 6
- library_automation_system 5
- single_connect 4
- http_server 3
- solidfire 2
- student_information_management_system 2
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2021-3156 | critical | — | 10.0 | 4y ago | Sudo contains an off-by-one error that can result in a heap-based buffer overflow, which allows for privilege escalation. | |
| CVE-2021-4102 | critical | — | 10.0 | 5y ago | Google Chromium V8 Engine contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multipl… | |
| CVE-2021-44228 | critical | — | 10.0 | 5y ago | Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution. | |
| CVE-2021-21148 | critical | — | 10.0 | 5y ago | Google Chromium V8 Engine contains a heap buffer overflow vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect m… | |
| CVE-2021-22205 | critical | — | 10.0 | 5y ago | GitHub Community and Enterprise Editions that utilize the ability to upload images through GitLab Workhorse are vulnerable to remote code execution. Workhorse passes image file extensions through Exi… | |
| CVE-2021-30551 | critical | — | 10.0 | 5y ago | Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multipl… | |
| CVE-2021-42013 | critical | — | 10.0 | 5y ago | Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured by Alias-like directives are not under defa… | |
| CVE-2021-39935 | high | — | 9.5 | 4mo ago | GitLab Community and Enterprise Editions contain a server-side request forgery vulnerability which could allow unauthorized external users to perform Server Side Requests via the CI Lint API. | |
| CVE-2021-22555 | high | — | 9.5 | 8mo ago | Important: kernel security, bug fix, and enhancement update | |
| CVE-2021-43798 | high | — | 9.5 | 2y ago | Grafana contains a path traversal vulnerability that could allow access to local files. | |
| CVE-2021-3560 | high | — | 9.5 | 3y ago | Red Hat Polkit contains an incorrect authorization vulnerability through the bypassing of credential checks for D-Bus requests, allowing for privilege escalation. | |
| CVE-2021-4034 | high | — | 9.5 | 4y ago | Important: polkit security update | |
| CVE-2021-30533 | high | — | 9.5 | 4y ago | Google Chromium PopupBlocker contains an insufficient policy enforcement vulnerability that allows a remote attacker to bypass navigation restrictions via a crafted iframe. This vulnerability could a… | |
| CVE-2021-0920 | high | — | 9.5 | 4y ago | Important: kernel security, bug fix, and enhancement update | |
| CVE-2021-40438 | high | — | 9.5 | 5y ago | Important: httpd:2.4 security update | |
| CVE-2021-21206 | high | — | 9.5 | 5y ago | Google Chromium Blink contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple we… | |
| CVE-2021-37975 | high | — | 9.5 | 5y ago | Google Chromium V8 Engine contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multipl… | |
| CVE-2021-30632 | high | — | 9.5 | 5y ago | Google Chromium V8 Engine contains an out-of-bounds write vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect m… | |
| CVE-2021-38003 | high | — | 9.5 | 5y ago | Google Chromium V8 Engine has a bug in JSON.stringify, where the internal TheHole value can leak to script code, causing memory corruption. This vulnerability could affect multiple web browsers that … | |
| CVE-2021-21224 | high | — | 9.5 | 5y ago | Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to execute code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web … | |
| CVE-2021-21166 | high | — | 9.5 | 5y ago | Google Chromium contains a race condition vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web brow… | |
| CVE-2021-21193 | high | — | 9.5 | 5y ago | Google Chromium Blink contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple we… | |
| CVE-2021-41773 | high | — | 9.5 | 5y ago | Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured by Alias-like directives are not under defa… | |
| CVE-2021-30633 | high | — | 9.5 | 5y ago | Google Chromium Indexed DB API contains a use-after-free vulnerability that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a crafted H… | |
| CVE-2021-37973 | high | — | 9.5 | 5y ago | Google Chromium Portals contains a use-after-free vulnerability that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a crafted HTML pag… | |
| CVE-2021-37976 | high | — | 9.5 | 5y ago | Google Chromium contains an information disclosure vulnerability within the core memory component that allows a remote attacker to obtain potentially sensitive information from process memory via a c… | |
| CVE-2021-21220 | high | — | 9.5 | 5y ago | Google Chromium V8 Engine contains an improper input validation vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could af… | |
| CVE-2021-38000 | high | — | 9.5 | 5y ago | Google Chromium Intents contains an improper input validation vulnerability that allows a remote attacker to arbitrarily browser to a malicious URL via a crafted HTML page. This vulnerability could a… | |
| CVE-2021-30554 | high | — | 9.5 | 5y ago | Google Chromium WebGL contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple we… | |
| CVE-2021-30563 | high | — | 9.5 | 5y ago | Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multipl… | |
| CVE-2021-39226 | high | — | 9.5 | 5y ago | Grafana contains an authentication bypass vulnerability that allows authenticated and unauthenticated users to view and delete all snapshot data, potentially resulting in complete snapshot data loss. | |
| CVE-2021-30952 | medium | — | 7.0 | 3mo ago | Moderate: webkit2gtk3 security, bug fix, and enhancement update | |
| CVE-2021-1789 | medium | — | 7.0 | 4y ago | Moderate: GNOME security, bug fix, and enhancement update | |
| CVE-2021-22204 | medium | — | 7.0 | 5y ago | Improper neutralization of user data in the DjVu file format in Exiftool versions 7.44 and up allows arbitrary code execution when parsing the malicious image | |
| CVE-2021-1871 | medium | — | 7.0 | 5y ago | Moderate: GNOME security, bug fix, and enhancement update | |
| CVE-2021-30666 | medium | — | 7.0 | 5y ago | Moderate: GNOME security, bug fix, and enhancement update | |
| CVE-2021-30761 | medium | — | 7.0 | 5y ago | Moderate: GNOME security, bug fix, and enhancement update | |
| CVE-2021-30663 | medium | — | 7.0 | 5y ago | Moderate: GNOME security, bug fix, and enhancement update | |
| CVE-2021-30665 | medium | — | 7.0 | 5y ago | Moderate: GNOME security, bug fix, and enhancement update | |
| CVE-2021-1870 | medium | — | 7.0 | 5y ago | Moderate: GNOME security, bug fix, and enhancement update | |
| CVE-2021-30858 | medium | — | 7.0 | 5y ago | Apple iOS, iPadOS, and macOS WebKit contain a use-after-free vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML parsers t… | |
| CVE-2021-30661 | medium | — | 7.0 | 5y ago | Moderate: GNOME security, bug fix, and enhancement update | |
| CVE-2021-30762 | medium | — | 7.0 | 5y ago | Moderate: GNOME security, bug fix, and enhancement update | |
| CVE-2021-22054 | unknown | — | 1.5 | 3mo ago | Omnissa Workspace One UEM formerly known as VMware Workspace One UEM contains a server-side request forgery (SSRF) vulnerability that could allow a malicious actor with network access to UEM to send … | |
| CVE-2021-22681 | unknown | — | 1.5 | 3mo ago | Multiple Rockwell products contain an insufficient protected credentials vulnerability. Studio 5000 Logix Designer software may allow a key to be discovered. This key is used to verify Logix controll… | |
| CVE-2021-22175 | unknown | — | 1.5 | 3mo ago | GitLab contains a server-side request forgery (SSRF) vulnerability when requests to the internal network for webhooks are enabled. | |
| CVE-2021-26828 | unknown | — | 1.5 | 6mo ago | OpenPLC ScadaBR contains an unrestricted upload of file with dangerous type vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm. | |
| CVE-2021-26829 | unknown | — | 1.5 | 6mo ago | OpenPLC ScadaBR contains a cross-site scripting vulnerability via system_settings.shtm. | |
| CVE-2021-43226 | unknown | — | 1.5 | 8mo ago | Microsoft Windows Common Log File System Driver contains a privilege escalation vulnerability that could allow a local, privileged attacker to bypass certain security mechanisms. | |
| CVE-2021-32030 | unknown | — | 1.5 | 1y ago | ASUS Lyra Mini and ASUS GT-AC2900 devices contain an improper authentication vulnerability that allows an attacker to gain unauthorized access to the administrative interface. The impacted products c… | |
| CVE-2021-20035 | unknown | — | 1.5 | 1y ago | SonicWall SMA100 appliances contain an OS command injection vulnerability in the management interface that allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user, whic… | |
| CVE-2021-44207 | unknown | — | 1.5 | 1y ago | Acclaim Systems USAHERDS contains a hard-coded credentials vulnerability that could allow an attacker to achieve remote code execution on the system that runs the application. The MachineKey must be … | |
| CVE-2021-40407 | unknown | — | 1.5 | 2y ago | Reolink RLC-410W IP cameras contain an authenticated OS command injection vulnerability in the device network settings functionality. | |
| CVE-2021-26086 | unknown | — | 1.5 | 2y ago | Atlassian Jira Server and Data Center contain a path traversal vulnerability that allows a remote attacker to read particular files in the /WEB-INF/web.xml endpoint. | |
| CVE-2021-41277 | unknown | — | 1.5 | 2y ago | Metabase contains a local file inclusion vulnerability in the custom map support in the API to read GeoJSON formatted data. | |
| CVE-2021-20124 | unknown | — | 1.5 | 2y ago | Draytek VigorConnect contains a path traversal vulnerability in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download a… | |
| CVE-2021-20123 | unknown | — | 1.5 | 2y ago | Draytek VigorConnect contains a path traversal vulnerability in the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the un… | |
| CVE-2021-31196 | unknown | — | 1.5 | 2y ago | Microsoft Exchange Server contains an information disclosure vulnerability that allows for remote code execution. | |
| CVE-2021-33045 | unknown | — | 1.5 | 2y ago | Dahua IP cameras and related products contain an authentication bypass vulnerability when the loopback device is specified by the client during authentication. | |
| CVE-2021-33044 | unknown | — | 1.5 | 2y ago | Dahua IP cameras and related products contain an authentication bypass vulnerability when the NetKeyboard type argument is specified by the client during authentication. | |
| CVE-2021-40655 | unknown | — | 1.5 | 2y ago | D-Link DIR-605 routers contain an information disclosure vulnerability that allows attackers to obtain a username and password by forging a post request to the /getcfg.php page. | |
| CVE-2021-44529 | unknown | — | 1.5 | 2y ago | Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) contains a code injection vulnerability that allows an unauthenticated user to execute malicious code with limited permissions (nobody). | |
| CVE-2021-36380 | unknown | — | 1.5 | 2y ago | Sunhillo SureLine contains an OS command injection vulnerability that allows an attacker to cause a denial-of-service or utilize the device for persistence on the network via shell metacharacters in … | |
| CVE-2021-29256 | unknown | — | 1.5 | 3y ago | Arm Mali GPU Kernel Driver contains a use-after-free vulnerability that may allow a non-privileged user to gain root privilege and/or disclose information. | |
| CVE-2021-25487 | unknown | — | 1.5 | 3y ago | Samsung mobile devices contain an out-of-bounds read vulnerability within the modem interface driver due to a lack of boundary checking of a buffer in set_skb_priv(), leading to remote code execution… | |
| CVE-2021-25372 | unknown | — | 1.5 | 3y ago | Samsung mobile devices contain an improper boundary check vulnerability within DSP driver that allows for out-of-bounds memory access. | |
| CVE-2021-25371 | unknown | — | 1.5 | 3y ago | Samsung mobile devices contain an unspecified vulnerability within DSP driver that allows attackers to load ELF libraries inside DSP. | |
| CVE-2021-25395 | unknown | — | 1.5 | 3y ago | Samsung mobile devices contain a race condition vulnerability within the MFC charger driver that leads to a use-after-free allowing for a write given a radio privilege is compromised. | |
| CVE-2021-25394 | unknown | — | 1.5 | 3y ago | Samsung mobile devices contain a race condition vulnerability within the MFC charger driver that leads to a use-after-free allowing for a write given a radio privilege is compromised. | |
| CVE-2021-25489 | unknown | — | 1.5 | 3y ago | Samsung mobile devices contain an improper input validation vulnerability within the modem interface driver that results in a format string bug leading to kernel panic. | |
| CVE-2021-44026 | unknown | — | 1.5 | 3y ago | Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params. | |
| CVE-2021-27877 | unknown | — | 1.5 | 3y ago | Veritas Backup Exec (BE) Agent contains an improper authentication vulnerability that could allow an attacker unauthorized access to the BE Agent via SHA authentication scheme. | |
| CVE-2021-27876 | unknown | — | 1.5 | 3y ago | Veritas Backup Exec (BE) Agent contains a file access vulnerability that could allow an attacker to specially craft input parameters on a data management protocol command to access files on the BE Ag… | |
| CVE-2021-27878 | unknown | — | 1.5 | 3y ago | Veritas Backup Exec (BE) Agent contains a command execution vulnerability that could allow an attacker to use a data management protocol command to execute a command on the BE Agent machine. | |
| CVE-2021-30900 | unknown | — | 1.5 | 3y ago | Apple GPU drivers, included in iOS, iPadOS, and macOS, contain an out-of-bounds write vulnerability that may allow a malicious application to execute code with kernel privileges. | |
| CVE-2021-35587 | unknown | — | 1.5 | 4y ago | Oracle Fusion Middleware Access Manager allows an unauthenticated attacker with network access via HTTP to takeover the Access Manager product. | |
| CVE-2021-25337 | unknown | — | 1.5 | 4y ago | Samsung mobile devices contain an improper access control vulnerability in clipboard service which allows untrusted applications to read or write arbitrary files. This vulnerability was chained with … | |
| CVE-2021-25370 | unknown | — | 1.5 | 4y ago | Samsung mobile devices using Mali GPU contain an incorrect implementation handling file descriptor in dpu driver. This incorrect implementation results in memory corruption, leading to kernel panic. … | |
| CVE-2021-25369 | unknown | — | 1.5 | 4y ago | Samsung mobile devices using Mali GPU contains an improper access control vulnerability in sec_log file. Exploitation of the vulnerability exposes sensitive kernel information to the userspace. This … | |
| CVE-2021-3493 | unknown | — | 1.5 | 4y ago | The overlayfs stacking file system in Linux kernel does not properly validate the application of file capabilities against user namespaces, which could lead to privilege escalation. | |
| CVE-2021-31010 | unknown | — | 1.5 | 4y ago | In affected versions of Apple iOS, macOS, and watchOS, a sandboxed process may be able to circumvent sandbox restrictions. | |
| CVE-2021-38406 | unknown | — | 1.5 | 4y ago | Delta Electronics DOPSoft 2 lacks proper validation of user-supplied data when parsing specific project files (improper input validation) resulting in an out-of-bounds write that allows for code exec… | |
| CVE-2021-30983 | unknown | — | 1.5 | 4y ago | Apple iOS and iPadOS contain a buffer overflow vulnerability that could allow an application to execute code with kernel privileges. | |
| CVE-2021-38163 | unknown | — | 1.5 | 4y ago | SAP NetWeaver contains a vulnerability that allows unrestricted file upload. | |
| CVE-2021-30883 | unknown | — | 1.5 | 4y ago | Apple iOS, macOS, watchOS, and tvOS contain a memory corruption vulnerability that could allow for remote code execution. | |
| CVE-2021-1048 | unknown | — | 1.5 | 4y ago | Android kernel contains a use-after-free vulnerability that allows for privilege escalation. | |
| CVE-2021-41357 | unknown | — | 1.5 | 4y ago | Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation. | |
| CVE-2021-40450 | unknown | — | 1.5 | 4y ago | Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation. | |
| CVE-2021-42287 | unknown | — | 1.5 | 4y ago | Microsoft Active Directory Domain Services contains an unspecified vulnerability that allows for privilege escalation. | |
| CVE-2021-39793 | unknown | — | 1.5 | 4y ago | Google Pixel contains a possible out-of-bounds write due to a logic error in the code that could lead to local escalation of privilege. | |
| CVE-2021-22600 | unknown | — | 1.5 | 4y ago | Linux Kernel contains a flaw in the packet socket (AF_PACKET) implementation which could lead to incorrectly freeing memory. A local user could exploit this for denial-of-service (DoS) or possibly fo… | |
| CVE-2021-42278 | unknown | — | 1.5 | 4y ago | Microsoft Active Directory Domain Services contains an unspecified vulnerability that allows for privilege escalation. | |
| CVE-2021-27852 | unknown | — | 1.5 | 4y ago | Deserialization of Untrusted Data vulnerability in CheckboxWeb.dll of Checkbox Survey allows an unauthenticated remote attacker to execute arbitrary code. | |
| CVE-2021-31166 | unknown | — | 1.5 | 4y ago | Microsoft HTTP Protocol Stack contains a vulnerability in http.sys that allows for remote code execution. | |
| CVE-2021-45382 | unknown | — | 1.5 | 4y ago | A remote code execution vulnerability exists in all series H/W revisions routers via the DDNS function in ncc2 binary file. | |
| CVE-2021-21551 | unknown | — | 1.5 | 4y ago | Dell dbutil driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial-of-service (DoS), or information disclosure. | |
| CVE-2021-34484 | unknown | — | 1.5 | 4y ago | Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation. | |
| CVE-2021-28799 | unknown | — | 1.5 | 4y ago | QNAP NAS running HBS 3 contains an improper authorization vulnerability which can allow remote attackers to log in to a device. | |
| CVE-2021-26085 | unknown | — | 1.5 | 4y ago | Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a pre-authorization arbitrary file read vulnerability in the /s/ endpoint. | |
| CVE-2021-38646 | unknown | — | 1.5 | 4y ago | Microsoft Office Access Connectivity Engine contains an unspecified vulnerability which can allow for remote code execution. |