CVEs from 2021

4,841 normalized CVEs published or assigned in this year.

Total

4,841

critical

critical 279

high

high 1,005

medium

medium 1,166

low

low 138

% Critical

5.8%

% with KEV

4.4%

% with exploit

5.3%

Top vendors

Top packages

PyPI/tensorflow-cpu 885
PyPI/tensorflow 885
PyPI/tensorflow-gpu 885
Packagist/moodle/moodle 126
Packagist/magento/community-edition 124
Maven/com.liferay.portal:release.dxp.bom 82
PyPI/salt 74
Maven/org.jenkins-ci.main:jenkins-core 60

critical high medium low unknown

KEV Has exploit

Reset

CVE	Severity	CVSS	Risk	Published	Description
CVE-2021-21612	unknown	—	—	4y ago	Credentials stored in plain text by Jenkins TraceTronic ECU-TEST Plugin
CVE-2021-23267	unknown	—	—	4y ago	Crafter CMS Crafter Studio vulnerable to Improper Control of Dynamically-Managed Code Resources
CVE-2021-23265	unknown	—	—	4y ago	Improper Privilege Management in craftercms
CVE-2021-23266	unknown	—	—	4y ago	Log value insertion in craftercms
CVE-2021-23792	unknown	—	—	4y ago	External Entity Reference in TwelveMonkeys ImageIO
CVE-2021-40822	unknown	—	—	4y ago	GeoServer allows SSRF via the option for setting a proxy host
CVE-2021-3503	unknown	—	—	4y ago	Metrics exposure in Wildfly
CVE-2021-31805	unknown	—	—	4y ago	Expression Language Injection in Apache Struts
CVE-2021-44138	unknown	—	—	4y ago	Path Traversal in Caucho Resin
CVE-2021-43142	unknown	—	—	4y ago	Improper Restriction of XML External Entity Reference in wutka jox
CVE-2021-43090	unknown	—	—	4y ago	Improper Restriction of XML External Entity Reference in soa-model
CVE-2021-20323	unknown	—	—	4y ago	Cross-site Scripting in Keycloak
CVE-2021-30180	unknown	—	—	4y ago	Code injection in Apache Dubbo
CVE-2021-30179	unknown	—	—	4y ago	Deserialization of Untrusted Data in Apache Dubbo
CVE-2021-30181	unknown	—	—	4y ago	Code injection in Apache Dubbo
CVE-2021-25640	unknown	—	—	4y ago	Server-Side Request Forgery in Apache Dubbo
CVE-2021-25641	unknown	—	—	4y ago	Deserializer tampering in Apache Dubbo
CVE-2021-30638	unknown	—	—	4y ago	Information Exposure in Apache Tapestry
CVE-2021-21655	unknown	—	—	4y ago	Cross-Site Request Forgery in Jenkins P4 Plugin
CVE-2021-21656	unknown	—	—	4y ago	XML external entity (XXE) attacks in Jenkins Xcode integration Plugin
CVE-2021-23901	unknown	—	—	4y ago	XML external entity (XXE) injection in Apache Nutch
CVE-2021-22114	unknown	—	—	4y ago	Path Traversal in Spring-integration-zip
CVE-2021-44667	unknown	—	—	4y ago	Cross-site Scripting in Nacos
CVE-2021-38296	unknown	—	—	4y ago	Authentication Bypass by Capture-replay in Apache Spark
CVE-2021-44585	unknown	—	—	4y ago	Cross-site Scripting in jeecg-boot
CVE-2021-46384	unknown	—	—	4y ago	Remote code execution in net.mingsoft:ms-mcms
CVE-2021-3654	unknown	—	—	4y ago	A vulnerability was found in openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC could be made to redirect to any desired URL.
CVE-2021-38266	unknown	—	—	4y ago	Liferay Portal and Liferay DXP fails to properly import users from LDAP
CVE-2021-38263	unknown	—	—	4y ago	Liferay Portal and Liferay DXP cross-site scripting (XSS) vulnerability via the script console
CVE-2021-38265	unknown	—	—	4y ago	Liferay Portal and Liferay DXP vulnerable to cross-site scripting (XSS)
CVE-2021-38264	unknown	—	—	4y ago	Liferay Portal vulnerable to cross-site scripting (XSS) via the keywords parameter
CVE-2021-38267	unknown	—	—	4y ago	Liferay Portal and Liferay DXP vulnerable to cross-site scripting (XSS) in edit blog entry page
CVE-2021-38269	unknown	—	—	4y ago	Liferay Portal and Liferay DXP vulnerable to cross-site scripting (XSS) in the Gogo Shell module
CVE-2021-38268	unknown	—	—	4y ago	Liferay Portal and Liferay DXP has incorrect default permissions for site members
CVE-2021-41193	unknown	—	—	4y ago	Use of Externally-Controlled Format String in wire-avs
CVE-2021-44550	unknown	—	—	4y ago	Access Control vulnerability within CoreNLP
CVE-2021-46037	unknown	—	—	4y ago	Path traversal in MCMS
CVE-2021-46036	unknown	—	—	4y ago	File upload leading to RCE in MCMS
CVE-2021-46063	unknown	—	—	4y ago	Server Side Template Injection in MCMS
CVE-2021-46062	unknown	—	—	4y ago	MCMS Arbitrary File Deletion vulnerability
CVE-2021-44868	unknown	—	—	4y ago	SQL injection in MCMS
CVE-2021-3127	unknown	—	—	4y ago	NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled.
CVE-2021-44521	unknown	—	—	4y ago	Apache Cassandra vulnerable to Code Injection due to unsafe configuration
CVE-2021-46365	unknown	—	—	4y ago	Improper Restriction of XML External Entity Reference in Magnolia CMS
CVE-2021-46363	unknown	—	—	4y ago	Arbitrary code execution in Magnolia CMS
CVE-2021-46364	unknown	—	—	4y ago	Deserialization of Untrusted Data in Magnolia CMS
CVE-2021-46366	unknown	—	—	4y ago	Cross-Site Request Forgery in Magnolia CMS
CVE-2021-46361	unknown	—	—	4y ago	Arbitrary code execution in Magnolia CMS
CVE-2021-31684	unknown	—	—	4y ago	Out of bounds read in json-smart
CVE-2021-43841	unknown	—	—	4y ago	Cross-site Scripting by SVG upload in xwiki-platform
CVE-2021-32732	unknown	—	—	4y ago	Cross-Site Request Forgery in xwiki-platform
CVE-2021-36152	unknown	—	—	4y ago	Apache Gobblin trusts all certificates used for LDAP connections in Gobblin-as-a-Service
CVE-2021-36151	unknown	—	—	4y ago	Hadoop token in temp file visible to all users in Apache Gobblin
CVE-2021-41571	unknown	—	—	4y ago	Improper Input Validation in Apache Pulsar
CVE-2021-42767	unknown	—	—	4y ago	Neo4j Graph Database vulnerable to Path Traversal
CVE-2021-43859	unknown	—	—	4y ago	Denial of Service by injecting highly recursive collections or maps in XStream
CVE-2021-23460	unknown	—	—	4y ago	Prototype pollution in min-dash
CVE-2021-41766	unknown	—	—	4y ago	Insecure Java Deserialization in Apache Karaf
CVE-2021-45029	unknown	—	—	4y ago	Code injection in ShenYu
CVE-2021-46383	unknown	—	—	4y ago	Mingsoft MCMS SQL injection vulnerability
CVE-2021-46386	unknown	—	—	4y ago	Mingsoft MCMS vulnerable to Remote Code Execution via file upload.
CVE-2021-46385	unknown	—	—	4y ago	Mingsoft MCMS SQL injection vulnerability
CVE-2021-46089	unknown	—	—	4y ago	SQL Injection in JeecgBoot
CVE-2021-23566	unknown	—	—	4y ago	The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
CVE-2021-42357	unknown	—	—	4y ago	Cross-site Scripting in Apache Knox SSO
CVE-2021-40525	unknown	—	—	4y ago	Path traversal in Apache James
CVE-2021-22060	unknown	—	—	4y ago	Log entry injection in Spring Framework
CVE-2021-43297	unknown	—	—	4y ago	Deserialization of Untrusted Data in Dubbo
CVE-2021-36739	unknown	—	—	5y ago	Cross-site Scripting in Apache Pluto
CVE-2021-36737	unknown	—	—	5y ago	Cross-site Scripting in Apache Pluto
CVE-2021-36738	unknown	—	—	5y ago	Cross-site Scripting in Apache Pluto
CVE-2021-45457	unknown	—	—	5y ago	In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin.
CVE-2021-45458	unknown	—	—	5y ago	Use of Hard-coded Credentials in Apache Kylin
CVE-2021-36774	unknown	—	—	5y ago	SQL Injection in Apache Kylin
CVE-2021-27738	unknown	—	—	5y ago	Server-Side Request Forgery in Apache Kylin
CVE-2021-31522	unknown	—	—	5y ago	Kylin can receive user input and load any class through Class.forName(...).
CVE-2021-45456	unknown	—	—	5y ago	Command Injection in Apache Kylin
CVE-2021-40111	unknown	—	—	5y ago	Infinite Loop in Apache James
CVE-2021-38542	unknown	—	—	5y ago	Command Injection in Apache James
CVE-2021-40110	unknown	—	—	5y ago	Denial of Service in Apache James
CVE-2021-44878	unknown	—	—	5y ago	Pac4j token validation bypass if OpenID Connect provider supports none algorithm
CVE-2021-23382	unknown	—	—	5y ago	The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused …
CVE-2021-22569	unknown	—	—	5y ago	A potential Denial of Service issue in protobuf-java
CVE-2021-41561	unknown	—	—	5y ago	Improper Input Validation in Parquet-MR
CVE-2021-42392	unknown	—	—	5y ago	RCE in H2 Console
CVE-2021-34797	unknown	—	—	5y ago	Insertion of Sensitive Information into Log File in Apache Geode
CVE-2021-44548	unknown	—	—	5y ago	Apache Solr Improper Input Validation and Path Traversal
CVE-2021-21667	unknown	—	—	5y ago	Stored XSS vulnerability in Jenkins Scriptler Plugin
CVE-2021-21668	unknown	—	—	5y ago	Stored XSS vulnerability in Jenkins Scriptler Plugin
CVE-2021-29061	unknown	—	—	5y ago	ReDOS in Vfsjfilechooser2
CVE-2021-30468	unknown	—	—	5y ago	Infinite loop in Apache CFX
CVE-2021-4133	unknown	—	—	5y ago	Improper Authorization in Keycloak
CVE-2021-44145	unknown	—	—	5y ago	Exposure of Sensitive Information to an Unauthorized Actor in Apache NiFi
CVE-2021-45943	unknown	—	—	5y ago	GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCIDSK::CPCIDSKFile::ReadFromFile (called from PCIDSK::CPCIDSKSegment::ReadFromFile and PCIDSK::CPCIDSKBinarySegment::CPCIDSKBinarySegment…
CVE-2021-23264	unknown	—	—	5y ago	Exposure of Resource to Wrong Sphere in org.craftercms:crafter-search
CVE-2021-23463	unknown	—	—	5y ago	Improper Restriction of XML External Entity Reference in com.h2database:h2.
CVE-2021-44549	unknown	—	—	5y ago	Improper Certificate Validation and Improper Validation of Certificate with Host Mismatch in Apache Sling Commons Messaging Mail
CVE-2021-43113	unknown	—	—	5y ago	Command injection in itext7-core
CVE-2021-43821	unknown	—	—	5y ago	Files Accessible to External Parties in Opencast
CVE-2021-43807	unknown	—	—	5y ago	HTTP Method Spoofing

CVEs from 2021

Top vendors

Top products

Top packages