Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2021-23909

    An issue was discovered in HERMES 2.1 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. The SH2 MCU allows remote code execution.... Read more

    • Published: May. 13, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23908

    An issue was discovered in the Headunit NTG6 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. A type confusion issue affects MultiSvSetAttributes in the HiQnet Protocol, leading to remote code execution.... Read more

    • Published: May. 13, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23847

    A Missing Authentication in Critical Function in Bosch IP cameras allows an unauthenticated remote attacker to extract sensitive information or change settings of the camera by sending crafted requests to the device. Only devices of the CPP6, CPP7 and CPP... Read more

    • Published: Jun. 09, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23682

    This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly saniti... Read more

    Affected Products : appwrite litespeed.js
    • Published: Feb. 16, 2022
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23561

    All versions of package comb are vulnerable to Prototype Pollution via the deepMerge() function.... Read more

    Affected Products : comb
    • Published: Dec. 10, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23792

    The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to ... Read more

    Affected Products : twelvemonkeys
    • Published: May. 06, 2022
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23558

    The package bmoor before 0.10.1 are vulnerable to Prototype Pollution due to missing sanitization in set function. **Note:** This vulnerability derives from an incomplete fix in [CVE-2020-7736](https://security.snyk.io/vuln/SNYK-JS-BMOOR-598664)... Read more

    Affected Products : bmoor
    • Published: Jan. 28, 2022
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23520

    The package juce-framework/juce before 6.1.5 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) via the ZipFile::uncompressEntry function in juce_ZipFile.cpp. This vulnerability is triggered when the archive is extracted upon calling... Read more

    Affected Products : juce
    • Published: Jan. 31, 2022
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2014-1477

    Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allow remote attackers to cause a denial of service (memory corruption and applicat... Read more

    • Published: Feb. 06, 2014
    • Modified: Apr. 11, 2025

  • 9.8

    CRITICAL
    CVE-2021-23518

    The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the... Read more

    Affected Products : debian_linux cached-path-relative
    • Published: Jan. 21, 2022
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23507

    The package object-path-set before 1.0.2 are vulnerable to Prototype Pollution via the setPath method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/... Read more

    Affected Products : object-path-set
    • Published: Feb. 04, 2022
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23760

    The package keyget from 0.0.0 are vulnerable to Prototype Pollution via the methods set, push, and at which could allow an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives from an incomplete... Read more

    Affected Products : keyget
    • Published: Jan. 28, 2022
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23702

    The package object-extend from 0.0.0 are vulnerable to Prototype Pollution via object-extend.... Read more

    Affected Products : object-extend
    • Published: Feb. 18, 2022
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23568

    The package extend2 before 1.0.1 are vulnerable to Prototype Pollution via the extend function due to unsafe recursive merge.... Read more

    Affected Products : extend2
    • Published: Jan. 10, 2022
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23448

    All versions of package config-handler are vulnerable to Prototype Pollution when loading config files.... Read more

    Affected Products : config-handler
    • Published: Oct. 11, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23442

    This affects all versions of package @cookiex/deep. The global proto object can be polluted using the __proto__ object.... Read more

    Affected Products : cookiex-deep
    • Published: Sep. 17, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23428

    This affects all versions of package elFinder.NetCore. The Path.Combine(...) method is used to create an absolute file path. Due to missing sanitation of the user input and a missing check of the generated path its possible to escape the Files directory v... Read more

    Affected Products : elfinder.netcore
    • Published: Sep. 01, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23433

    The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnera... Read more

    Affected Products : algoliasearch-helper
    • Published: Nov. 19, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23444

    This affects the package jointjs before 3.4.2. A type confusion vulnerability can lead to a bypass of CVE-2020-28480 when the user-provided keys used in the path parameter are arrays in the setByPath function.... Read more

    Affected Products : jointjs
    • Published: Sep. 21, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23427

    This affects all versions of package elFinder.NetCore. The ExtractAsync function within the FileSystem is vulnerable to arbitrary extraction due to insufficient validation.... Read more

    Affected Products : elfinder.netcore
    • Published: Sep. 01, 2021
    • Modified: Nov. 21, 2024
Showing 20 of 293179 Results