Latest CVE Feed

Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 7.5

    HIGH
    CVE-2021-23446

    The package handsontable before 10.0.0; the package handsontable from 0 and before 10.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) in Handsontable.helper.isNumeric function.... Read more

    Affected Products : handsontable
    • EPSS Score: %0.29
    • Published: Sep. 29, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-23445

    This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped.... Read more

    Affected Products : datatables.net
    • EPSS Score: %0.74
    • Published: Sep. 27, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23444

    This affects the package jointjs before 3.4.2. A type confusion vulnerability can lead to a bypass of CVE-2020-28480 when the user-provided keys used in the path parameter are arrays in the setByPath function.... Read more

    Affected Products : jointjs
    • EPSS Score: %1.54
    • Published: Sep. 21, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-23443

    This affects the package edge.js before 5.3.2. A type confusion vulnerability can be used to bypass input sanitization when the input to be rendered is an array (instead of a string or a SafeValue), even if {{ }} are used.... Read more

    Affected Products : edge
    • EPSS Score: %0.24
    • Published: Sep. 21, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23442

    This affects all versions of package @cookiex/deep. The global proto object can be polluted using the __proto__ object.... Read more

    Affected Products : cookiex-deep
    • EPSS Score: %0.50
    • Published: Sep. 17, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23440

    This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.... Read more

    • EPSS Score: %0.06
    • Published: Sep. 12, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-23439

    This affects the package file-upload-with-preview before 4.2.0. A file containing malicious JavaScript code in the name can be uploaded (a user needs to be tricked into uploading such a file).... Read more

    • EPSS Score: %0.41
    • Published: Sep. 05, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23438

    This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['__proto__']. This is because the method ... Read more

    Affected Products : mpath
    • EPSS Score: %0.15
    • Published: Sep. 01, 2021
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2021-23437

    The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.... Read more

    Affected Products : fedora pillow
    • EPSS Score: %0.21
    • Published: Sep. 03, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23436

    This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "__pr... Read more

    Affected Products : immer
    • EPSS Score: %0.15
    • Published: Sep. 01, 2021
    • Modified: Nov. 21, 2024

  • 7.6

    HIGH
    CVE-2021-23435

    This affects the package clearance before 2.5.0. The vulnerability can be possible when users are able to set the value of session[:return_to]. If the value used for return_to contains multiple leading slashes (/////example.com) the user ends up being red... Read more

    Affected Products : clearance
    • EPSS Score: %0.28
    • Published: Sep. 12, 2021
    • Modified: Nov. 21, 2024

  • 8.6

    HIGH
    CVE-2021-23434

    This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns fals... Read more

    Affected Products : debian_linux object-path
    • EPSS Score: %0.06
    • Published: Aug. 27, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23433

    The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnera... Read more

    Affected Products : algoliasearch-helper
    • EPSS Score: %0.37
    • Published: Nov. 19, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23432

    This affects all versions of package mootools. This is due to the ability to pass untrusted input to Object.merge()... Read more

    Affected Products : mootools mootools
    • EPSS Score: %0.30
    • Published: Aug. 24, 2021
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-23431

    The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery (CSRF) due to missing CSRF checks in various forms.... Read more

    Affected Products : joplin joplin
    • EPSS Score: %0.14
    • Published: Aug. 24, 2021
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2021-23430

    All versions of package startserver are vulnerable to Directory Traversal due to missing sanitization.... Read more

    Affected Products : startserver
    • EPSS Score: %0.43
    • Published: Aug. 24, 2021
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2021-23429

    All versions of package transpile are vulnerable to Denial of Service (DoS) due to a lack of input sanitization or whitelisting, coupled with improper exception handling in the .to() function.... Read more

    Affected Products : transpile
    • EPSS Score: %0.28
    • Published: Aug. 24, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23428

    This affects all versions of package elFinder.NetCore. The Path.Combine(...) method is used to create an absolute file path. Due to missing sanitation of the user input and a missing check of the generated path its possible to escape the Files directory v... Read more

    Affected Products : elfinder.netcore
    • EPSS Score: %0.75
    • Published: Sep. 01, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-23427

    This affects all versions of package elFinder.NetCore. The ExtractAsync function within the FileSystem is vulnerable to arbitrary extraction due to insufficient validation.... Read more

    Affected Products : elfinder.netcore
    • EPSS Score: %0.63
    • Published: Sep. 01, 2021
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2021-23426

    This affects all versions of package Proto. It is possible to inject pollute the object property of an application using Proto by leveraging the merge function.... Read more

    Affected Products : proto
    • EPSS Score: %0.26
    • Published: Sep. 01, 2021
    • Modified: Nov. 21, 2024
Showing 20 of 290940 Results