LiveActive security incident?Get immediate response
CVE archive

January 2021

Browse CVE records published in January 2021, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 2235 matching CVEs · Page 1 of 45.

High · CVSS 7.2

CVE-2021-47839: Marky 0.0.1 - Persistent Cross-Site Scripting

Marky 0.0.1 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remote code execution.

Published Jan 16, 2026 · Updated Jun 30, 2026

Medium · CVSS 6.1

CVE-2021-47836: Markdown Explorer 0.1.1 - Persistent Cross-Site Scripting

Markdown Explorer 0.1.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through file uploads and editor inputs. Attackers can upload markdown files with embedded JavaScript payloads to execute remote commands and potentially gain system access.

Published Jan 16, 2026 · Updated May 24, 2026

Medium · CVSS 5.4

CVE-2021-47817: OpenEMR 5.0.2.1 - Remote Code Execution

OpenEMR 5.0.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript through user profile parameters. Attackers can exploit the vulnerability by crafting a malicious payload to download and execute a web shell, enabling remote command execution on the vulnerable OpenEMR instance.

Published Jan 21, 2026 · Updated May 24, 2026

Medium · CVSS 6.1

CVE-2021-47750: YouPHPTube <= 7.8 - Cross-Site Scripting

YouPHPTube <= 7.8 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the redirectUri parameter in the signup page. Attackers can craft special signup URLs with embedded script tags to execute arbitrary JavaScript in victims' browsers when they access the signup page.

Published Jan 13, 2026 · Updated May 24, 2026

High · CVSS 8.6

CVE-2021-44793: Information Leakege via Unauthorized Access in Single Connect

Single Connect does not perform an authorization check when using the sc-reports-ui" module. A remote attacker could exploit this vulnerability to access the device configuration page and export the data to an external file. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information including the database credentials. Since the database runs with high privileges it is possible to execute commands with the attained credentials.

Published Jan 27, 2022 · Updated May 18, 2026

Medium · CVSS 5.3

CVE-2021-44794: Information Leakege via Unauthorized Access in Single Connect

Single Connect does not perform an authorization check when using the "sc-diagnostic-ui" module. A remote attacker could exploit this vulnerability to access the device information page. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information.

Published Jan 27, 2022 · Updated May 18, 2026

Medium · CVSS 5.3

CVE-2021-44795: Modifying User Permissions via Unauthorized Access in Single Connect

Single Connect does not perform an authorization check when using the "sc-assigned-credential-ui" module. A remote attacker could exploit this vulnerability to modify users permissions. The exploitation of this vulnerability might allow a remote attacker to delete permissions from other users without authenticating.

Published Jan 27, 2022 · Updated May 18, 2026

Medium · CVSS 5.3

CVE-2021-44792: Information Leakege via Unauthorized Access in Single Connect

Single Connect does not perform an authorization check when using the "log-monitor" module. A remote attacker could exploit this vulnerability to access the logging interface. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information.

Published Jan 27, 2022 · Updated May 18, 2026

High · CVSS 7.5

CVE-2021-47751: CuteEditor for PHP 6.6 - Directory Traversal

CuteEditor for PHP (now referred to as Rich Text Editor) 6.6 contains a directory traversal vulnerability in the browse template feature that allows attackers to write files to arbitrary web root directories. Attackers can exploit the ServerMapPath() function by renaming uploaded HTML files using directory traversal sequences to write files outside the intended template directory.

Published Jan 13, 2026 · Updated May 14, 2026

High · CVSS 8.7

CVE-2021-47749: YouPHPTube <= 7.8 - Directory Traversal

YouPHPTube <= 7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the 'lang' parameter in GET requests. Attackers can exploit the path traversal flaw in locale/function.php to include and view PHP files outside the intended directory by using directory traversal sequences.

Published Jan 13, 2026 · Updated May 14, 2026

Medium · CVSS 4.8

CVE-2021-47870: GetSimple CMS My SMTP Contact Plugin 1.1.2 - Stored XSS

GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to inject arbitrary client-side code that executes in the administrator's browser when visiting a malicious page.

Published Jan 21, 2026 · Updated May 12, 2026

Medium · CVSS 6.8

CVE-2021-31567: WordPress Download Monitor plugin <= 4.4.6 - Authenticated Arbitrary File Download vulnerability

Authenticated (admin+) Arbitrary File Download vulnerability discovered in Download Monitor WordPress plugin (versions <= 4.4.6). The plugin allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the &downloadable_file_urls[0] parameter data. It's also possible to escape from the web server home directory and download any file within the OS.

Published Jan 28, 2022 · Updated Apr 28, 2026

Critical · CVSS 10

CVE-2021-4434: Social Warfare <= 3.5.2 - Remote Code Execution

The Social Warfare plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 3.5.2 via the 'swp_url' parameter. This allows attackers to execute code on the server.

Published Jan 17, 2024 · Updated Apr 8, 2026

High · CVSS 8.8

CVE-2021-47904: PhreeBooks 5.2.3 - Remote Code Execution

PhreeBooks 5.2.3 contains an authenticated file upload vulnerability in the Image Manager that allows remote code execution. Attackers can upload a malicious PHP web shell by exploiting unrestricted file type uploads to gain command execution on the server.

Published Jan 23, 2026 · Updated Apr 7, 2026

Critical · CVSS 9.8

CVE-2021-47891: Unified Remote 3.9.0.2463 - Remote Code Execution

Unified Remote 3.9.0.2463 contains a remote code execution vulnerability that allows attackers to send crafted network packets to execute arbitrary commands. Attackers can exploit the service by connecting to port 9512 and sending specially crafted packets to open a command prompt and download and execute malicious payloads.

Published Jan 23, 2026 · Updated Apr 7, 2026

High · CVSS 7.1

CVE-2021-47872: SEO Panel < 4.9.0 - 'order_col' Blind SQL Injection

SEO Panel versions prior to 4.9.0 contain a blind SQL injection vulnerability in the archive.php page that allows authenticated attackers to manipulate database queries through the 'order_col' parameter. Attackers can use sqlmap to exploit the vulnerability and extract database information by injecting malicious SQL code into the order column parameter.

Published Jan 21, 2026 · Updated Apr 7, 2026

High · CVSS 8.7

CVE-2021-47865: ProFTPD 1.3.7a - Remote Denial of Service

ProFTPD 1.3.7a contains a denial of service vulnerability that allows attackers to overwhelm the server by creating multiple simultaneous FTP connections. Attackers can repeatedly establish connections using threading to exhaust server connection limits and block legitimate user access.

Published Jan 21, 2026 · Updated Apr 7, 2026

High · CVSS 8.5

CVE-2021-47864: OSAS Traverse Extension 11 - 'travextensionhostsvc' Unquoted Service Path

OSAS Traverse Extension 11 contains an unquoted service path vulnerability in the TravExtensionHostSvc service running with LocalSystem privileges. Attackers can exploit the unquoted path to inject and execute malicious code by placing executable files in the service's path, potentially gaining elevated system access.

Published Jan 21, 2026 · Updated Apr 7, 2026

High · CVSS 8.5

CVE-2021-47863: MacPaw Encrypto 1.0.1 - 'Encrypto Service' Unquoted Service Path

MacPaw Encrypto 1.0.1 contains an unquoted service path vulnerability in its Encrypto Service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files\Encrypto\ to inject malicious executables and escalate privileges on Windows systems.

Published Jan 21, 2026 · Updated Apr 7, 2026

High · CVSS 8.5

CVE-2021-47860: GetSimple CMS Custom JS 0.1 - CSRF to XSS to RCE

GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to execute remote code on the hosting server when an authenticated administrator visits the page.

Published Jan 21, 2026 · Updated Apr 7, 2026

High · CVSS 8.8

CVE-2021-47848: Blitar Tourism 1.0 - Authentication Bypass SQLi

Blitar Tourism 1.0 contains an authentication bypass vulnerability that allows attackers to bypass login by injecting SQL code through the username parameter. Attackers can manipulate the login request by sending a crafted username with SQL injection techniques to gain unauthorized administrative access.

Published Jan 21, 2026 · Updated Apr 7, 2026

High · CVSS 8.8

CVE-2021-47846: Digital Crime Report Management System 1.0 - SQL Injection

Digital Crime Report Management System 1.0 contains a critical SQL injection vulnerability affecting multiple login pages that allows unauthenticated attackers to bypass authentication. Attackers can exploit the vulnerability by sending crafted SQL injection payloads in email and password parameters across police, incharge, user, and HQ login endpoints.

Published Jan 21, 2026 · Updated Apr 7, 2026

Medium · CVSS 6.1

CVE-2021-47844: Xmind 2020 - Persistent Cross-Site Scripting

Xmind 2020 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into mind mapping files or custom headers. Attackers can craft malicious files with embedded JavaScript that execute system commands when opened, enabling remote code execution through mouse interactions or file opening.

Published Jan 16, 2026 · Updated Apr 7, 2026

Medium · CVSS 5.1

CVE-2021-47830: GetSimple CMS My SMTP Contact Plugin 1.1.1 - CSRF

GetSimple CMS My SMTP Contact Plugin 1.1.1 contains a cross-site request forgery (CSRF) vulnerability. Attackers can craft a malicious webpage that, when visited by an authenticated administrator, can change SMTP configuration settings in the plugin. This may allow unauthorized changes but does not directly enable remote code execution.

Published Jan 21, 2026 · Updated Apr 7, 2026

Critical · CVSS 9.8

CVE-2021-47812: GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2)

GravCMS 1.10.7 contains an unauthenticated vulnerability that allows remote attackers to write arbitrary YAML configuration and execute PHP code through the scheduler endpoint. Attackers can exploit the admin-nonce parameter to inject base64-encoded payloads and create malicious custom jobs with system command execution.

Published Jan 15, 2026 · Updated Apr 7, 2026

Medium · CVSS 5.4

CVE-2021-47808: Cotonti Siena 0.9.19 - 'maintitle' Stored Cross-Site Scripting

Cotonti Siena 0.9.19 contains a stored cross-site scripting vulnerability in the admin configuration panel's site title parameter. Attackers can inject malicious JavaScript code through the 'maintitle' parameter to execute scripts when administrators view the page.

Published Jan 15, 2026 · Updated Apr 7, 2026