Latest CVE Feed

Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2021-23682

    This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly saniti... Read more

    Affected Products : appwrite litespeed.js
    • EPSS Score: %5.38
    • Published: Feb. 16, 2022
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-23673

    This affects all versions of package pekeupload. If an attacker induces a user to upload a file whose name contains javascript code, the javascript code will be executed.... Read more

    Affected Products : pekeupload
    • EPSS Score: %0.24
    • Published: Nov. 22, 2021
    • Modified: Nov. 21, 2024

  • 8.6

    HIGH
    CVE-2021-23664

    The package @isomorphic-git/cors-proxy before 2.7.1 are vulnerable to Server-side Request Forgery (SSRF) due to missing sanitization and validation of the redirection action in middleware.js.... Read more

    Affected Products : cors-proxy
    • EPSS Score: %0.29
    • Published: Jan. 21, 2022
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23663

    All versions of package sey are vulnerable to Prototype Pollution via the deepmerge() function.... Read more

    Affected Products : sey
    • EPSS Score: %0.48
    • Published: Dec. 10, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23654

    This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or genera... Read more

    Affected Products : html-to-csv
    • EPSS Score: %1.43
    • Published: Nov. 26, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-23648

    The package @braintree/sanitize-url before 6.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper sanitization in sanitizeUrl function.... Read more

    Affected Products : fedora braintree\/sanitize-url
    • EPSS Score: %0.12
    • Published: Mar. 16, 2022
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23639

    The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execution (RCE) due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine.... Read more

    Affected Products : markdown_to_pdf
    • EPSS Score: %18.12
    • Published: Dec. 10, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23632

    All versions of package git are vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands. Steps to Reproduce 1. Create a file named exploit.js with the... Read more

    Affected Products : git git
    • EPSS Score: %3.22
    • Published: Mar. 17, 2022
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2021-23631

    This affects all versions of package convert-svg-core; all versions of package convert-svg-to-png; all versions of package convert-svg-to-jpeg. Using a specially crafted SVG file, an attacker could read arbitrary files from the file system and then show t... Read more

    Affected Products : convert-svg-core
    • EPSS Score: %0.39
    • Published: Jan. 21, 2022
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23624

    This affects the package dotty before 0.1.2. A type confusion vulnerability can lead to a bypass of CVE-2021-25912 when the user-provided keys used in the path parameter are arrays.... Read more

    Affected Products : dotty
    • EPSS Score: %0.43
    • Published: Nov. 03, 2021
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2021-23597

    This affects the package fastify-multipart before 5.3.1. By providing a name=constructor property it is still possible to crash the application. **Note:** This is a bypass of CVE-2020-8136 (https://security.snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-1290382).... Read more

    Affected Products : fastify-multipart
    • EPSS Score: %0.40
    • Published: Feb. 11, 2022
    • Modified: Nov. 21, 2024

  • 10.0

    CRITICAL
    CVE-2021-23594

    All versions of package realms-shim are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector.... Read more

    Affected Products : realms-shim
    • EPSS Score: %0.56
    • Published: Jan. 10, 2022
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23592

    The package topthink/framework before 6.0.12 are vulnerable to Deserialization of Untrusted Data due to insecure unserialize method in the Driver class.... Read more

    Affected Products : thinkphp
    • EPSS Score: %0.96
    • Published: May. 06, 2022
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23574

    All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn and the set functions. This is an incomplete fix of [CVE-2020-28442](https://snyk.io/vuln/SNYK-JS-JSDATA-1023655).... Read more

    Affected Products : js-data
    • EPSS Score: %1.27
    • Published: Dec. 24, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23568

    The package extend2 before 1.0.1 are vulnerable to Prototype Pollution via the extend function due to unsafe recursive merge.... Read more

    Affected Products : extend2
    • EPSS Score: %0.50
    • Published: Jan. 10, 2022
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2021-23567

    The package colors after 1.4.0 are vulnerable to Denial of Service (DoS) that was introduced through an infinite loop in the americanFlag module. Unfortunately this appears to have been a purposeful attempt by a maintainer of colors to make the package un... Read more

    Affected Products : colors.js
    • EPSS Score: %0.67
    • Published: Jan. 14, 2022
    • Modified: Nov. 21, 2024

  • 5.5

    MEDIUM
    CVE-2021-23566

    The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.... Read more

    Affected Products : nanoid
    • EPSS Score: %0.03
    • Published: Jan. 14, 2022
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-23562

    This affects the package plupload before 2.3.9. A file name containing JavaScript code could be uploaded and run. An attacker would need to trick a user to upload this kind of file.... Read more

    Affected Products : plupload plupload
    • EPSS Score: %0.94
    • Published: Dec. 03, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23561

    All versions of package comb are vulnerable to Prototype Pollution via the deepMerge() function.... Read more

    Affected Products : comb
    • EPSS Score: %0.48
    • Published: Dec. 10, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23558

    The package bmoor before 0.10.1 are vulnerable to Prototype Pollution due to missing sanitization in set function. **Note:** This vulnerability derives from an incomplete fix in [CVE-2020-7736](https://security.snyk.io/vuln/SNYK-JS-BMOOR-598664)... Read more

    Affected Products : bmoor
    • EPSS Score: %0.68
    • Published: Jan. 28, 2022
    • Modified: Nov. 21, 2024
Showing 20 of 290943 Results