CVEs from 2021
Total
6,257
critical
critical 272
high
high 976
medium
medium 1,141
low
low 135
% Critical
4.3%
% with KEV
3.4%
% with exploit
3.4%
Top products
- office 13
- 365_apps 6
- office_long_term_servicing_channel 6
- library_automation_system 5
- single_connect 4
- http_server 3
- solidfire 2
- student_information_management_system 2
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2021-39935 | high | — | 9.5 | 4mo ago | GitLab Community and Enterprise Editions contain a server-side request forgery vulnerability which could allow unauthorized external users to perform Server Side Requests via the CI Lint API. | |
| CVE-2021-22555 | high | — | 9.5 | 8mo ago | Important: kernel security, bug fix, and enhancement update | |
| CVE-2021-43798 | high | — | 9.5 | 2y ago | Grafana contains a path traversal vulnerability that could allow access to local files. | |
| CVE-2021-3560 | high | — | 9.5 | 3y ago | Red Hat Polkit contains an incorrect authorization vulnerability through the bypassing of credential checks for D-Bus requests, allowing for privilege escalation. | |
| CVE-2021-30533 | high | — | 9.5 | 4y ago | Google Chromium PopupBlocker contains an insufficient policy enforcement vulnerability that allows a remote attacker to bypass navigation restrictions via a crafted iframe. This vulnerability could a… | |
| CVE-2021-4034 | high | — | 9.5 | 4y ago | Important: polkit security update | |
| CVE-2021-0920 | high | — | 9.5 | 4y ago | Important: kernel security, bug fix, and enhancement update | |
| CVE-2021-40438 | high | — | 9.5 | 5y ago | Important: httpd:2.4 security update | |
| CVE-2021-21206 | high | — | 9.5 | 5y ago | Google Chromium Blink contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple we… | |
| CVE-2021-37976 | high | — | 9.5 | 5y ago | Google Chromium contains an information disclosure vulnerability within the core memory component that allows a remote attacker to obtain potentially sensitive information from process memory via a c… | |
| CVE-2021-21193 | high | — | 9.5 | 5y ago | Google Chromium Blink contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple we… | |
| CVE-2021-38003 | high | — | 9.5 | 5y ago | Google Chromium V8 Engine has a bug in JSON.stringify, where the internal TheHole value can leak to script code, causing memory corruption. This vulnerability could affect multiple web browsers that … | |
| CVE-2021-30554 | high | — | 9.5 | 5y ago | Google Chromium WebGL contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple we… | |
| CVE-2021-37975 | high | — | 9.5 | 5y ago | Google Chromium V8 Engine contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multipl… | |
| CVE-2021-30563 | high | — | 9.5 | 5y ago | Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multipl… | |
| CVE-2021-30633 | high | — | 9.5 | 5y ago | Google Chromium Indexed DB API contains a use-after-free vulnerability that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a crafted H… | |
| CVE-2021-21220 | high | — | 9.5 | 5y ago | Google Chromium V8 Engine contains an improper input validation vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could af… | |
| CVE-2021-21166 | high | — | 9.5 | 5y ago | Google Chromium contains a race condition vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web brow… | |
| CVE-2021-37973 | high | — | 9.5 | 5y ago | Google Chromium Portals contains a use-after-free vulnerability that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a crafted HTML pag… | |
| CVE-2021-41773 | high | — | 9.5 | 5y ago | Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured by Alias-like directives are not under defa… | |
| CVE-2021-30632 | high | — | 9.5 | 5y ago | Google Chromium V8 Engine contains an out-of-bounds write vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect m… | |
| CVE-2021-21224 | high | — | 9.5 | 5y ago | Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to execute code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web … | |
| CVE-2021-38000 | high | — | 9.5 | 5y ago | Google Chromium Intents contains an improper input validation vulnerability that allows a remote attacker to arbitrarily browser to a malicious URL via a crafted HTML page. This vulnerability could a… | |
| CVE-2021-39226 | high | — | 9.5 | 5y ago | Grafana contains an authentication bypass vulnerability that allows authenticated and unauthenticated users to view and delete all snapshot data, potentially resulting in complete snapshot data loss. | |
| CVE-2021-47979 | high | 8.8 | 8.8 | 11d ago | WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in AJAX requests. Attackers … | |
| CVE-2021-47976 | high | 8.8 | 8.8 | 11d ago | TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Attackers can… | |
| CVE-2021-47964 | high | 8.8 | 8.8 | 12d ago | Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious extension packages through the block manager… | |
| CVE-2021-47949 | high | 8.8 | 8.8 | 18d ago | CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks through the filemanager con… | |
| CVE-2021-47943 | high | 8.8 | 8.8 | 18d ago | TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through the file upload functio… | |
| CVE-2021-47939 | high | 8.8 | 8.8 | 18d ago | Evolution CMS 3.1.6 contains a remote code execution vulnerability that allows authenticated users with module creation permissions to execute arbitrary system commands by injecting PHP code into mod… | |
| CVE-2021-47938 | high | 8.8 | 8.8 | 18d ago | ImpressCMS 1.4.2 contains a remote code execution vulnerability in the autotasks administrative interface that allows authenticated attackers to execute arbitrary PHP code by injecting malicious code… | |
| CVE-2021-47937 | high | 8.8 | 8.8 | 18d ago | e107 CMS 2.3.0 contains a remote code execution vulnerability that allows authenticated users with theme installation permissions to execute arbitrary commands by uploading malicious theme files. Att… | |
| CVE-2021-47935 | high | 8.8 | 8.8 | 18d ago | Sentry 8.2.0 contains a remote code execution vulnerability that allows authenticated superusers to execute arbitrary commands by injecting malicious pickle-serialized objects through the audit log e… | |
| CVE-2021-3855 | high | 8.8 | 8.8 | 3y ago | Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Liman Central Management System Liman MYS (HTTP/Controllers, CronMail, Jobs modules) allows Comman… | |
| CVE-2021-44793 | high | 8.6 | 8.6 | 4y ago | Single Connect does not perform an authorization check when using the sc-reports-ui" module. A remote attacker could exploit this vulnerability to access the device configuration page and export the … | |
| CVE-2021-47956 | high | 8.2 | 8.2 | 11d ago | EgavilanMedia PHPCRUD 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname parameter. Attackers… | |
| CVE-2021-47954 | high | 8.2 | 8.2 | 11d ago | LayerBB 1.1.4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the search_query parameter. Attackers can send… | |
| CVE-2021-47966 | high | 8.2 | 8.2 | 12d ago | PHP Timeclock 1.04 contains time-based and boolean-based blind SQL injection vulnerabilities in the login_userid parameter of login.php that allows unauthenticated attackers to extract database conte… | |
| CVE-2021-47941 | high | 8.2 | 8.2 | 18d ago | WordPress Plugin Survey & Poll 1.5.7.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wp_sap co… | |
| CVE-2021-47930 | high | 8.2 | 8.2 | 18d ago | Balbooa Joomla Forms Builder 2.0.6 contains an unauthenticated SQL injection vulnerability in the form submission handler that allows remote attackers to execute arbitrary SQL queries. Attackers can … | |
| CVE-2021-47928 | high | 8.2 | 8.2 | 18d ago | Opencart TMD Vendor System 3.x contains a blind SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the product_id paramete… | |
| CVE-2021-30521 | high | — | 8.0 | — | Heap buffer overflow in Autofill in Google Chrome on Android prior to 91.0.4472.77 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. | |
| CVE-2021-39931 | high | — | 8.0 | — | multiple issues in gitlab | |
| CVE-2021-39886 | high | — | 8.0 | — | multiple issues in gitlab | |
| CVE-2021-42322 | high | — | 8.0 | — | multiple issues in code | |
| CVE-2021-37959 | high | — | 8.0 | — | Use after free in Task Manager in Google Chrome prior to 94.0.4606.54 allowed an attacker who convinced a user to enage in a series of user gestures to potentially exploit heap corruption via a craft… | |
| CVE-2021-30588 | high | — | 8.0 | — | Type confusion in V8 in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-32749 | high | — | 8.0 | — | fail2ban is a daemon to ban hosts that cause multiple authentication errors. In versions 0.9.7 and prior, 0.10.0 through 0.10.6, and 0.11.0 through 0.11.2, there is a vulnerability that leads to poss… | |
| CVE-2021-30604 | high | — | 8.0 | — | Use after free in ANGLE in Google Chrome prior to 92.0.4515.159 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-39941 | high | — | 8.0 | — | multiple issues in gitlab | |
| CVE-2021-39915 | high | — | 8.0 | — | multiple issues in gitlab | |
| CVE-2021-39884 | high | — | 8.0 | — | multiple issues in gitlab | |
| CVE-2021-39934 | high | — | 8.0 | — | multiple issues in gitlab | |
| CVE-2021-30556 | high | — | 8.0 | — | Use after free in WebAudio in Google Chrome prior to 91.0.4472.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-39933 | high | — | 8.0 | — | multiple issues in gitlab | |
| CVE-2021-37980 | high | — | 8.0 | — | Inappropriate implementation in Sandbox in Google Chrome prior to 94.0.4606.81 allowed a remote attacker to potentially bypass site isolation via Windows. | |
| CVE-2021-39917 | high | — | 8.0 | — | multiple issues in gitlab | |
| CVE-2021-37957 | high | — | 8.0 | — | Use after free in WebGPU in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-30598 | high | — | 8.0 | — | Type confusion in V8 in Google Chrome prior to 92.0.4515.159 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. | |
| CVE-2021-30584 | high | — | 8.0 | — | Incorrect security UI in Downloads in Google Chrome on Android prior to 92.0.4515.107 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |
| CVE-2021-30575 | high | — | 8.0 | — | Out of bounds write in Autofill in Google Chrome prior to 92.0.4515.107 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML pa… | |
| CVE-2021-30592 | high | — | 8.0 | — | Out of bounds write in Tab Groups in Google Chrome prior to 92.0.4515.131 allowed an attacker who convinced a user to install a malicious extension to perform an out of bounds memory write via a craf… | |
| CVE-2021-30615 | high | — | 8.0 | — | Chromium: CVE-2021-30615 Cross-origin data leak in Navigation | |
| CVE-2021-37977 | high | — | 8.0 | — | Use after free in Garbage Collection in Google Chrome prior to 94.0.4606.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-30597 | high | — | 8.0 | — | Use after free in Browser UI in Google Chrome on Chrome prior to 92.0.4515.131 allowed a remote attacker to potentially exploit heap corruption via physical access to the device. | |
| CVE-2021-39936 | high | — | 8.0 | — | multiple issues in gitlab | |
| CVE-2021-21174 | high | — | 8.0 | — | Inappropriate implementation in Referrer in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |
| CVE-2021-30612 | high | — | 8.0 | — | Chromium: CVE-2021-30612 Use after free in WebRTC | |
| CVE-2021-39913 | high | — | 8.0 | — | multiple issues in gitlab | |
| CVE-2021-30620 | high | — | 8.0 | — | Chromium: CVE-2021-30620 Insufficient policy enforcement in Blink | |
| CVE-2021-30506 | high | — | 8.0 | — | Incorrect security UI in Web App Installs in Google Chrome on Android prior to 90.0.4430.212 allowed an attacker who convinced a user to install a web application to inject scripts or HTML into a pri… | |
| CVE-2021-37958 | high | — | 8.0 | — | Inappropriate implementation in Navigation in Google Chrome on Windows prior to 94.0.4606.54 allowed a remote attacker to inject scripts or HTML into a privileged page via a crafted HTML page. | |
| CVE-2021-21185 | high | — | 8.0 | — | Insufficient policy enforcement in extensions in Google Chrome prior to 89.0.4389.72 allowed an attacker who convinced a user to install a malicious extension to obtain sensitive information via a cr… | |
| CVE-2021-21150 | high | — | 8.0 | — | Use after free in Downloads in Google Chrome on Windows prior to 88.0.4324.182 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted… | |
| CVE-2021-3551 | high | — | 8.0 | — | Important: pki-core:10.6 security update | |
| CVE-2021-21228 | high | — | 8.0 | — | Insufficient policy enforcement in extensions in Google Chrome prior to 90.0.4430.93 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a … | |
| CVE-2021-39912 | high | — | 8.0 | — | multiple issues in gitlab | |
| CVE-2021-21229 | high | — | 8.0 | — | Incorrect security UI in downloads in Google Chrome on Android prior to 90.0.4430.93 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |
| CVE-2021-21222 | high | — | 8.0 | — | Heap buffer overflow in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. | |
| CVE-2021-30607 | high | — | 8.0 | — | Chromium: CVE-2021-30607 Use after free in Permissions | |
| CVE-2021-21227 | high | — | 8.0 | — | Insufficient data validation in V8 in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-30574 | high | — | 8.0 | — | Use after free in protocol handling in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-36377 | high | — | 8.0 | — | Fossil before 2.14.2 and 2.15.x before 2.15.2 often skips the hostname check during TLS certificate validation. | |
| CVE-2021-30568 | high | — | 8.0 | — | Heap buffer overflow in WebGL in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-37986 | high | — | 8.0 | — | Heap buffer overflow in Settings in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to engage with Dev Tools to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-22945 | high | — | 8.0 | — | When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call t… | |
| CVE-2021-21165 | high | — | 8.0 | — | Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-22890 | high | — | 8.0 | — | curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.… | |
| CVE-2021-21212 | high | — | 8.0 | — | Incorrect security UI in Network Config UI in Google Chrome on ChromeOS prior to 90.0.4430.72 allowed a remote attacker to potentially compromise WiFi connection security via a malicious WAP. | |
| CVE-2021-23970 | high | — | 8.0 | — | Context-specific code was included in a shared jump table; resulting in assertions being triggered in multithreaded wasm code. This vulnerability affects Firefox < 86. | |
| CVE-2021-21171 | high | — | 8.0 | — | Incorrect security UI in TabStrip and Navigation in Google Chrome on Android prior to 89.0.4389.72 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |
| CVE-2021-39899 | high | — | 8.0 | — | multiple issues in gitlab | |
| CVE-2021-21156 | high | — | 8.0 | — | Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.182 allowed a remote attacker to potentially exploit heap corruption via a crafted script. | |
| CVE-2021-21158 | high | — | 8.0 | — | insufficient validation in chromium | |
| CVE-2021-39904 | high | — | 8.0 | — | multiple issues in gitlab | |
| CVE-2021-22167 | high | — | 8.0 | — | multiple issues in gitlab | |
| CVE-2021-30593 | high | — | 8.0 | — | Out of bounds read in Tab Strip in Google Chrome prior to 92.0.4515.131 allowed an attacker who convinced a user to install a malicious extension to perform an out of bounds memory read via a crafted… | |
| CVE-2021-21172 | high | — | 8.0 | — | Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 89.0.4389.72 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. | |
| CVE-2021-32751 | high | — | 8.0 | — | Gradle is a build tool with a focus on build automation. In versions prior to 7.2, start scripts generated by the `application` plugin and the `gradlew` script are both vulnerable to arbitrary code e… | |
| CVE-2021-30623 | high | — | 8.0 | — | Chromium: CVE-2021-30623 Use after free in Bookmarks |