LiveActive security incident?Get immediate response
CVE archive

September 2021

Browse CVE records published in September 2021, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 1832 matching CVEs · Page 2 of 37.

Unknown · CVSS Not scored

CVE-2021-40524: In Pure-FTPd before 1.0.50, an incorrect max_filesize quota mechanism in the server allows attackers to upl...

In Pure-FTPd before 1.0.50, an incorrect max_filesize quota mechanism in the server allows attackers to upload files of unbounded size, which may lead to denial of service or a server hang. This occurs because a certain greater-than-zero test does not anticipate an initial -1 value. (Versions 1.0.23 through 1.0.49 are affected.)

Published Sep 5, 2021 · Updated Nov 4, 2025

High · CVSS 7.5

CVE-2021-32839: Regular Expression Denial of Service in sqlparse

sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments. Only the formatting feature that removes comments from SQL statements is affected by this regular expression. As a workaround don't use the sqlformat.format function with keyword strip_comments=True or the --strip-comments command line flag when using the sqlformat command line tool. The issues has been fixed in sqlparse 0.4.2.

Published Sep 20, 2021 · Updated Nov 3, 2025

Medium · CVSS 5.5

CVE-2021-40716: XMP Toolkit SDK SVG_Adapter Out-of-bounds Read Information Disclosure

XMP Toolkit SDK versions 2021.07 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Published Sep 29, 2021 · Updated Nov 3, 2025

High · CVSS 7.8

CVE-2021-36064: XMP Toolkit SDK SVG_Adapter ParseFullNS Buffer Underflow

XMP Toolkit version 2020.1 (and earlier) is affected by a Buffer Underflow vulnerability which could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Published Sep 1, 2021 · Updated Nov 3, 2025

Low · CVSS 3.3

CVE-2021-36053: XMP Toolkit SDK Out-of-bounds Read Vulnerability In FindAndReadXMPChunk Could Lead To Information Exposure

XMP Toolkit SDK versions 2020.1 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of arbitrary memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Published Sep 1, 2021 · Updated Nov 3, 2025

Low · CVSS 3.3

CVE-2021-36045: XMP Toolkit SDK Out-of-bounds Read Vulnerability In PostScriptSupport::ConvertToDate Could Lead To Information Exposure

XMP Toolkit SDK versions 2020.1 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of arbitrary memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Published Sep 1, 2021 · Updated Nov 3, 2025

Critical · CVSS 9.6 · CISA KEV

CVE-2021-28550: Adobe Acrobat Reader use after free vulnerability could lead to arbitrary code execution

Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and 2017.011.30194 (and earlier) are affected by a Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Published Sep 2, 2021 · Updated Oct 21, 2025

High · CVSS 8.8 · CISA KEV

CVE-2021-30665: A memory corruption issue was addressed with improved state management.

A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 7.4.1, iOS 14.5.1 and iPadOS 14.5.1, tvOS 14.6, iOS 12.5.3, macOS Big Sur 11.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..

Published Sep 8, 2021 · Updated Oct 21, 2025

High · CVSS 7.8 · CISA KEV

CVE-2021-30713: A permissions issue was addressed with improved validation.

A permissions issue was addressed with improved validation. This issue is fixed in macOS Big Sur 11.4. A malicious application may be able to bypass Privacy preferences. Apple is aware of a report that this issue may have been actively exploited..

Published Sep 8, 2021 · Updated Oct 21, 2025

High · CVSS 8.8 · CISA KEV

CVE-2021-30661: A use after free issue was addressed with improved memory management.

A use after free issue was addressed with improved memory management. This issue is fixed in Safari 14.1, iOS 12.5.3, iOS 14.5 and iPadOS 14.5, watchOS 7.4, tvOS 14.5, macOS Big Sur 11.3. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..

Published Sep 8, 2021 · Updated Oct 21, 2025

Medium · CVSS 5.5 · CISA KEV

CVE-2021-30657: A logic issue was addressed with improved state management.

A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.3, Security Update 2021-002 Catalina. A malicious application may bypass Gatekeeper checks. Apple is aware of a report that this issue may have been actively exploited..

Published Sep 8, 2021 · Updated Oct 21, 2025

High · CVSS 7.8 · CISA KEV

CVE-2021-30663: An integer overflow was addressed with improved input validation.

An integer overflow was addressed with improved input validation. This issue is fixed in iOS 14.5.1 and iPadOS 14.5.1, tvOS 14.6, iOS 12.5.3, Safari 14.1.1, macOS Big Sur 11.3.1. Processing maliciously crafted web content may lead to arbitrary code execution.

Published Sep 8, 2021 · Updated Oct 21, 2025

Critical · CVSS 9.9 · CISA KEV

CVE-2021-38163: SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker...

SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.

Published Sep 14, 2021 · Updated Oct 21, 2025

Critical · CVSS 9 · CISA KEV

CVE-2021-40438: mod_proxy SSRF

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

Published Sep 16, 2021 · Updated Oct 21, 2025

High · CVSS 7.8 · CISA KEV

CVE-2021-38406: Delta Electronics DOPSoft 2 Out-of-Bounds Write

Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could result in multiple out-of-bounds write instances. An attacker could leverage this vulnerability to execute code in the context of the current process.

Published Sep 17, 2021 · Updated Oct 21, 2025