Medium · CVSS 6.7
A crafted NTFS image can cause out-of-bounds reads in ntfs_attr_find and ntfs_external_attr_find in NTFS-3G < 2021.8.22.
Published Sep 7, 2021 · Updated Dec 2, 2025
Medium · CVSS 6.7
A crafted NTFS image can trigger an out-of-bounds access, caused by an unsanitized attribute length in ntfs_inode_lookup_by_name, in NTFS-3G < 2021.8.22.
Published Sep 7, 2021 · Updated Dec 2, 2025
Medium · CVSS 6.7
A crafted NTFS image can cause an out-of-bounds access in ntfs_inode_sync_standard_information in NTFS-3G < 2021.8.22.
Published Sep 7, 2021 · Updated Dec 2, 2025
Medium · CVSS 6.7
A crafted NTFS image can cause an out-of-bounds access in ntfs_decompress in NTFS-3G < 2021.8.22.
Published Sep 7, 2021 · Updated Dec 2, 2025
Medium · CVSS 6.7
A crafted NTFS image can trigger a heap-based buffer overflow, caused by an unsanitized attribute in ntfs_get_attribute_value, in NTFS-3G < 2021.8.22.
Published Sep 7, 2021 · Updated Dec 2, 2025
Medium · CVSS 4.7
Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using LLC/SNAP headers with invalid length and Ethernet to Wifi frame conversion (and optionally VLAN0 headers).
Published Sep 27, 2022 · Updated Nov 4, 2025
Medium · CVSS 4.7
Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using LLC/SNAP headers with invalid length (and optionally VLAN0 headers)
Published Sep 27, 2022 · Updated Nov 4, 2025
Medium · CVSS 4.7
Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using combinations of VLAN 0 headers, LLC/SNAP headers, and converting frames from Ethernet to Wifi and its reverse.
Published Sep 27, 2022 · Updated Nov 4, 2025
Medium · CVSS 4.7
Layer 2 network filtering capabilities such as IPv6 RA guard or ARP inspection can be bypassed using combinations of VLAN 0 headers and LLC/SNAP headers.
Published Sep 27, 2022 · Updated Nov 4, 2025
Unknown · CVSS Not scored
In Pure-FTPd before 1.0.50, an incorrect max_filesize quota mechanism in the server allows attackers to upload files of unbounded size, which may lead to denial of service or a server hang. This occurs because a certain greater-than-zero test does not anticipate an initial -1 value. (Versions 1.0.23 through 1.0.49 are affected.)
Published Sep 5, 2021 · Updated Nov 4, 2025
High · CVSS 7.5
sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments. Only the formatting feature that removes comments from SQL statements is affected by this regular expression. As a workaround don't use the sqlformat.format function with keyword strip_comments=True or the --strip-comments command line flag when using the sqlformat command line tool. The issues has been fixed in sqlparse 0.4.2.
Published Sep 20, 2021 · Updated Nov 3, 2025
Medium · CVSS 5.5
XMP Toolkit SDK versions 2021.07 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published Sep 29, 2021 · Updated Nov 3, 2025
High · CVSS 7.8
XMP Toolkit SDK version 2020.1 (and earlier) is affected by a stack-based buffer overflow vulnerability potentially resulting in arbitrary code execution in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted file.
Published Sep 1, 2021 · Updated Nov 3, 2025
High · CVSS 7.8
XMP Toolkit version 2020.1 (and earlier) is affected by a Buffer Underflow vulnerability which could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published Sep 1, 2021 · Updated Nov 3, 2025
Medium · CVSS 5.5
XMP Toolkit SDK version 2020.1 (and earlier) is affected by an Integer Overflow vulnerability potentially resulting in application-level denial of service in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted file.
Published Sep 1, 2021 · Updated Nov 3, 2025
Medium · CVSS 4
XMP Toolkit SDK version 2020.1 (and earlier) is affected by a write-what-where condition vulnerability caused during the application's memory allocation process. This may cause the memory management functions to become mismatched resulting in local application denial of service in the context of the current user.
Published Sep 1, 2021 · Updated Nov 3, 2025
Medium · CVSS 5.5
XMP Toolkit SDK version 2020.1 (and earlier) is affected by a buffer overflow vulnerability potentially resulting in arbitrary code execution in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted file.
Published Sep 1, 2021 · Updated Nov 3, 2025
High · CVSS 7.8
XMP Toolkit SDK versions 2020.1 (and earlier) are affected by a use-after-free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published Sep 1, 2021 · Updated Nov 3, 2025
Low · CVSS 3.3
XMP Toolkit SDK version 2020.1 (and earlier) is affected by a buffer overflow vulnerability potentially resulting in local application denial of service in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted file.
Published Sep 1, 2021 · Updated Nov 3, 2025
Low · CVSS 3.3
XMP Toolkit SDK versions 2020.1 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of arbitrary memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published Sep 1, 2021 · Updated Nov 3, 2025
High · CVSS 7.8
XMP Toolkit version 2020.1 (and earlier) is affected by a memory corruption vulnerability, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.
Published Sep 1, 2021 · Updated Nov 3, 2025
High · CVSS 7.8
XMP Toolkit SDK version 2020.1 (and earlier) is affected by a buffer overflow vulnerability potentially resulting in arbitrary code execution in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted file.
Published Sep 1, 2021 · Updated Nov 3, 2025
High · CVSS 7.8
XMP Toolkit SDK version 2020.1 (and earlier) is affected by an Improper Input Validation vulnerability potentially resulting in arbitrary code execution in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted file.
Published Sep 1, 2021 · Updated Nov 3, 2025
High · CVSS 7.8
XMP Toolkit SDK version 2020.1 (and earlier) is affected by an Improper Input Validation vulnerability potentially resulting in arbitrary code execution in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted file.
Published Sep 1, 2021 · Updated Nov 3, 2025
High · CVSS 7.8
XMP Toolkit version 2020.1 (and earlier) is affected by a memory corruption vulnerability, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.
Published Sep 1, 2021 · Updated Nov 3, 2025
Low · CVSS 3.3
XMP Toolkit SDK versions 2020.1 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of arbitrary memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published Sep 1, 2021 · Updated Nov 3, 2025
Critical · CVSS 9.8 · CISA KEV
Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.
Published Sep 1, 2021 · Updated Oct 21, 2025
Critical · CVSS 9.6 · CISA KEV
Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and 2017.011.30194 (and earlier) are affected by a Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published Sep 2, 2021 · Updated Oct 21, 2025
Critical · CVSS 9.8 · CISA KEV
Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.
Published Sep 7, 2021 · Updated Oct 21, 2025
High · CVSS 8.8 · CISA KEV
A memory corruption issue was addressed with improved state management. This issue is fixed in iOS 12.5.4. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..
Published Sep 8, 2021 · Updated Oct 21, 2025
High · CVSS 8.8 · CISA KEV
A use after free issue was addressed with improved memory management. This issue is fixed in iOS 12.5.4. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..
Published Sep 8, 2021 · Updated Oct 21, 2025
High · CVSS 8.8 · CISA KEV
A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 7.4.1, iOS 14.5.1 and iPadOS 14.5.1, tvOS 14.6, iOS 12.5.3, macOS Big Sur 11.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..
Published Sep 8, 2021 · Updated Oct 21, 2025
High · CVSS 8.8 · CISA KEV
A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 12.5.3. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..
Published Sep 8, 2021 · Updated Oct 21, 2025
High · CVSS 7.8 · CISA KEV
A permissions issue was addressed with improved validation. This issue is fixed in macOS Big Sur 11.4. A malicious application may be able to bypass Privacy preferences. Apple is aware of a report that this issue may have been actively exploited..
Published Sep 8, 2021 · Updated Oct 21, 2025
High · CVSS 8.8 · CISA KEV
A use after free issue was addressed with improved memory management. This issue is fixed in Safari 14.1, iOS 12.5.3, iOS 14.5 and iPadOS 14.5, watchOS 7.4, tvOS 14.5, macOS Big Sur 11.3. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..
Published Sep 8, 2021 · Updated Oct 21, 2025
Medium · CVSS 5.5 · CISA KEV
A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.3, Security Update 2021-002 Catalina. A malicious application may bypass Gatekeeper checks. Apple is aware of a report that this issue may have been actively exploited..
Published Sep 8, 2021 · Updated Oct 21, 2025
High · CVSS 7.8 · CISA KEV
An integer overflow was addressed with improved input validation. This issue is fixed in iOS 14.5.1 and iPadOS 14.5.1, tvOS 14.6, iOS 12.5.3, Safari 14.1.1, macOS Big Sur 11.3.1. Processing maliciously crafted web content may lead to arbitrary code execution.
Published Sep 8, 2021 · Updated Oct 21, 2025
Critical · CVSS 9.8 · CISA KEV
An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.
Published Sep 13, 2021 · Updated Oct 21, 2025
Critical · CVSS 9.9 · CISA KEV
SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.
Published Sep 14, 2021 · Updated Oct 21, 2025
High · CVSS 7.8 · CISA KEV
Windows Common Log File System Driver Elevation of Privilege Vulnerability
Published Sep 15, 2021 · Updated Oct 21, 2025
High · CVSS 7.8 · CISA KEV
Open Management Infrastructure Elevation of Privilege Vulnerability
Published Sep 15, 2021 · Updated Oct 21, 2025
High · CVSS 7.8 · CISA KEV
Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
Published Sep 15, 2021 · Updated Oct 21, 2025
Critical · CVSS 9.8 · CISA KEV
Open Management Infrastructure Remote Code Execution Vulnerability
Published Sep 15, 2021 · Updated Oct 21, 2025
High · CVSS 7.8 · CISA KEV
Open Management Infrastructure Elevation of Privilege Vulnerability
Published Sep 15, 2021 · Updated Oct 21, 2025
High · CVSS 7 · CISA KEV
Open Management Infrastructure Elevation of Privilege Vulnerability
Published Sep 15, 2021 · Updated Oct 21, 2025
Critical · CVSS 9 · CISA KEV
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.
Published Sep 16, 2021 · Updated Oct 21, 2025
High · CVSS 7.8 · CISA KEV
Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could result in multiple out-of-bounds write instances. An attacker could leverage this vulnerability to execute code in the context of the current process.
Published Sep 17, 2021 · Updated Oct 21, 2025
Critical · CVSS 9.8 · CISA KEV
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
Published Sep 22, 2021 · Updated Oct 21, 2025
Critical · CVSS 9.8 · CISA KEV
The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.
Published Sep 23, 2021 · Updated Oct 21, 2025
Medium · CVSS 5.3 · CISA KEV
Rhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to bypass proxy leading to internal endpoints being accessed.
Published Sep 23, 2021 · Updated Oct 21, 2025