Vulnerabilities (CVE)

Total 367136 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-41445 1 Dlink 2 Dir-x1860, Dir-x1860 Firmware 2026-07-09 4.3 MEDIUM 6.1 MEDIUM
A reflected cross-site-scripting attack in web application of D-Link DIR-X1860 before v1.10WWB09_Beta allows a remote unauthenticated attacker to execute code in the device of the victim via sending a specific URL to the unauthenticated victim.
CVE-2021-41442 1 Dlink 2 Dir-x1860, Dir-x1860 Firmware 2026-07-09 5.0 MEDIUM 7.5 HIGH
An HTTP smuggling attack in the web application of D-Link DIR-X1860 before v1.10WWB09_Beta allows a remote unauthenticated attacker to DoS the web application via sending a specific HTTP packet.
CVE-2021-41441 1 Dlink 2 Dir-x1860, Dir-x1860 Firmware 2026-07-09 7.1 HIGH 7.4 HIGH
A DoS attack in the web application of D-Link DIR-X1860 before v1.10WWB09_Beta allows a remote unauthenticated attacker to reboot the router via sending a specially crafted URL to an authenticated victim. The authenticated victim need to visit this URL, for the router to reboot.
CVE-2021-41436 1 Asus 36 Gt-ax11000, Gt-ax11000 Firmware, Rt-ax3000 and 33 more 2026-07-09 7.8 HIGH 7.5 HIGH
An HTTP request smuggling in web application in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote unauthenticated attacker to DoS via sending a specially crafted HTTP packet.
CVE-2021-41435 1 Asus 36 Gt-ax11000, Gt-ax11000 Firmware, Rt-ax3000 and 33 more 2026-07-09 10.0 HIGH 9.8 CRITICAL
A brute-force protection bypass in CAPTCHA protection in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote attacker to attempt any number of login attempts via sending a specific HTTP request.
CVE-2021-40906 2 Checkmk, Tribe29 2 Checkmk, Checkmk 2026-07-09 4.3 MEDIUM 6.1 MEDIUM
CheckMK Raw Edition software (versions 1.5.0 to 1.6.0) does not sanitise the input of a web service parameter that is in an unauthenticated zone. This Reflected XSS allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts) or to steal the session cookies of a user who has previously authenticated via a man in the middle. Successful exploitation requires access to the web service resource without authentication.
CVE-2021-40905 2 Checkmk, Tribe29 2 Checkmk, Checkmk 2026-07-09 6.8 MEDIUM 8.8 HIGH
The web management console of CheckMK Enterprise Edition (versions 1.5.0 to 2.0.0p9) does not properly sanitise the uploading of ".mkp" files, which are Extension Packages, making remote code execution possible. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session of a user with administrator role. NOTE: the vendor states that this is the intended behavior: admins are supposed to be able to execute code in this manner.
CVE-2021-40904 1 Checkmk 1 Checkmk 2026-07-09 6.8 MEDIUM 8.8 HIGH
The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dokuwiki (installed by default), which allows embedded php code. As a result, remote code execution is achieved. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session by a user with the role of administrator.
CVE-2021-40650 1 Softwareag 1 Connx 2026-07-09 4.3 MEDIUM 6.5 MEDIUM
In Connx Version 6.2.0.1269 (20210623), a cookie can be issued by the application and not have the secure flag set.
CVE-2021-40649 1 Softwareag 1 Connx 2026-07-09 6.4 MEDIUM 6.5 MEDIUM
In Connx Version 6.2.0.1269 (20210623), a cookie can be issued by the application and not have the HttpOnly flag set.
CVE-2021-40639 1 Jflyfox 1 Jfinal Cms 2026-07-09 5.0 MEDIUM 7.5 HIGH
Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js.
CVE-2021-40219 1 Bolt 1 Bolt Cms 2026-07-09 6.5 MEDIUM 8.8 HIGH
Bolt CMS <= 4.2 is vulnerable to Remote Code Execution. Unsafe theme rendering allows an authenticated attacker to edit theme to inject server-side template injection that leads to remote code execution.
CVE-2021-3380 1 Height8tech 1 H8 Ssrms 2026-07-09 4.0 MEDIUM 6.5 MEDIUM
Insecure direct object reference (IDOR) vulnerability in ICREM H8 SSRMS allows attackers to disclose sensitive information via the Print Invoice Functionality.
CVE-2021-3305 1 Feishu 1 Feishu 2026-07-09 N/A 7.8 HIGH
Beijing Feishu Technology Co., Ltd Feishu v3.40.3 was discovered to contain an untrusted search path vulnerability.
CVE-2021-3294 1 Casap Automated Enrollment System Project 1 Casap Automated Enrollment System 2026-07-09 3.5 LOW 5.4 MEDIUM
CASAP Automated Enrollment System 1.0 is affected by cross-site scripting (XSS) in users.php. An attacker can steal a cookie to perform user redirection to a malicious website.
CVE-2021-3262 1 Trispark 2 Novusedu, Veo Transportation 2026-07-09 N/A 9.8 CRITICAL
TripSpark VEO Transportation-2.2.x-XP_BB-20201123-184084 NovusEDU-2.2.x-XP_BB-20201123-184084 allows unsafe data inputs in POST body parameters from end users without sanitizing using server-side logic. It was possible to inject custom SQL commands into the "Student Busing Information" search queries.
CVE-2021-38269 1 Liferay 2 Digital Experience Platform, Liferay Portal 2026-07-09 3.5 LOW 5.4 MEDIUM
Cross-site scripting (XSS) vulnerability in the Gogo Shell module in Liferay Portal 7.1.0 through 7.3.6 and 7.4.0, and Liferay DXP 7.1 before fix pack 23, 7.2 before fix pack 13, and 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the output of a Gogo Shell command.
CVE-2021-38268 1 Liferay 2 Digital Experience Platform, Liferay Portal 2026-07-09 4.0 MEDIUM 6.5 MEDIUM
The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 2 incorrectly sets default permissions for site members, which allows remote authenticated users with the site member role to add and duplicate forms, via the UI or the API.
CVE-2021-38267 1 Liferay 2 Digital Experience Platform, Liferay Portal 2026-07-09 3.5 LOW 5.4 MEDIUM
Cross-site scripting (XSS) vulnerability in the Blogs module's edit blog entry page in Liferay Portal 7.3.2 through 7.3.6, and Liferay DXP 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_blogs_web_portlet_BlogsAdminPortlet_title and _com_liferay_blogs_web_portlet_BlogsAdminPortlet_subtitle parameter.
CVE-2021-38266 1 Liferay 2 Digital Experience Platform, Liferay Portal 2026-07-09 5.0 MEDIUM 7.5 HIGH
The Portal Security module in Liferay Portal 7.2.1 and earlier, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17 and 7.2 before fix pack 5 does not correctly import users from LDAP, which allows remote attackers to prevent a legitimate user from authenticating by attempting to sign in as a user that exist in LDAP.