LiveActive security incident?Get immediate response
CVE archive

November 2021

Browse CVE records published in November 2021, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 1519 matching CVEs · Page 1 of 31.

Unknown · CVSS Not scored

CVE-2021-41436: An HTTP request smuggling in web application in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U,...

An HTTP request smuggling in web application in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote unauthenticated attacker to DoS via sending a specially crafted HTTP packet.

Published Nov 19, 2021 · Updated Jul 9, 2026

Unknown · CVSS Not scored

CVE-2021-41435: A brute-force protection bypass in CAPTCHA protection in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, R...

A brute-force protection bypass in CAPTCHA protection in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote attacker to attempt any number of login attempts via sending a specific HTTP request.

Published Nov 19, 2021 · Updated Jul 9, 2026

High · CVSS 8.7

CVE-2021-4463: Longjing Technology BEMS API <= 1.21 Remote Arbitrary File Download

Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the 'downloads' endpoint. The 'fileName' parameter is not properly sanitized, allowing attackers to craft traversal sequences and access sensitive files outside the intended directory.

Published Nov 12, 2025 · Updated May 14, 2026

High · CVSS 8.6

CVE-2021-36916: WordPress Hide My WP premium plugin <= 6.2.3 - Unauthenticated SQL injection (SQLi) vulnerability

The SQL injection vulnerability in the Hide My WP WordPress plugin (versions <= 6.2.3) is possible because of how the IP address is retrieved and used inside a SQL query. The function "hmwp_get_user_ip" tries to retrieve the IP address from multiple headers, including IP address headers that the user can spoof, such as "X-Forwarded-For." As a result, the malicious payload supplied in one of these IP address headers will be directly inserted into the SQL query, making SQL injection possible.

Published Nov 24, 2021 · Updated Apr 28, 2026

High · CVSS 8.7

CVE-2021-4469: Denver SHO-110 IP Camera Unauthenticated Snapshot Access

Denver SHO-110 IP cameras expose a secondary HTTP service on TCP port 8001 that provides access to a '/snapshot' endpoint without authentication. While the primary web interface on port 80 enforces authentication, the backdoor service allows any remote attacker to retrieve image snapshots by directly requesting the 'snapshot' endpoint. An attacker can repeatedly collect snapshots and reconstruct the camera stream, compromising the confidentiality of the monitored environment.

Published Nov 14, 2025 · Updated Apr 7, 2026

High · CVSS 8.7

CVE-2021-4466: IPCop <= 2.1.9 Authenticated RCE

IPCop versions up to and including 2.1.9 contain an authenticated remote code execution vulnerability within the web-based administration interface. The email configuration component inserts user-controlled values, including the EMAIL_PW parameter, directly into system-level operations without proper input sanitation. By modifying the email password field to include shell metacharacters and issuing a save-and-test-mail action, an authenticated attacker can execute arbitrary operating system commands with the privileges of the web interface, resulting in full system compromise.

Published Nov 14, 2025 · Updated Apr 7, 2026

High · CVSS 8.7

CVE-2021-4465: ReQuest Serious Play F3 Media Server <= 7.0.3 Remote DoS

ReQuest Serious Play F3 Media Server versions 7.0.3.4968 (Pro), 7.0.2.4954, 6.5.2.4954, 6.4.2.4681, 6.3.2.4203, and 2.0.1.823 contain a remote denial-of-service vulnerability. The device can be shut down or rebooted by an unauthenticated attacker through a single crafted HTTP GET request, allowing remote interruption of service availability.

Published Nov 14, 2025 · Updated Apr 7, 2026

Critical · CVSS 9.3

CVE-2021-4462: Employee Records System v1.0 Arbitrary File Upload RCE

Employee Records System version 1.0 contains an unrestricted file upload vulnerability that allows a remote unauthenticated attacker to upload arbitrary files via the uploadID.php endpoint; uploaded files can be executed because the application does not perform proper server-side validation. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.

Published Nov 10, 2025 · Updated Apr 7, 2026

Critical · CVSS 9.3

CVE-2021-4464: FIberHome AN5506-04-FA / HG6245D Routers Remote Stack Overflow

FiberHome AN5506-04-FA firmware versions up to and including RP2631 and HG6245D prior to RP2602 contain a stack-based buffer overflow, as the HTTP service ('webs') fails to enforce maximum lengths for Cookie header values. When a cookie longer than 511 bytes is processed, a stack buffer is overrun, leading to a crash or potential control of execution flow.

Published Nov 12, 2025 · Updated Nov 21, 2025

High · CVSS 8.7

CVE-2021-4467: Positive Technologies MaxPatrol 8 & XSpider Remote DoS

Positive Technologies MaxPatrol 8 and XSpider contain a remote denial-of-service vulnerability in the client communication service on TCP port 2002. The service generates a new session identifier for each incoming connection without adequately limiting concurrent requests. An unauthenticated remote attacker can repeatedly issue HTTPS requests to the service, causing excessive allocation of session identifiers. Under load, session identifier collisions may occur, forcing active client sessions to disconnect and resulting in service disruption.

Published Nov 14, 2025 · Updated Nov 18, 2025

Critical · CVSS 9.3

CVE-2021-4470: TG8 Firewall Unauthenticated RCE via runphpcmd.php

TG8 Firewall contains a pre-authentication remote code execution vulnerability in the runphpcmd.php endpoint. The syscmd POST parameter is passed directly to a system command without validation and executed with root privileges. A remote, unauthenticated attacker can supply crafted values to execute arbitrary operating system commands as root, resulting in full device compromise.

Published Nov 14, 2025 · Updated Nov 18, 2025

High · CVSS 8.7

CVE-2021-4471: TG8 Firewall Unauthenticated User Password Disclosure

TG8 Firewall exposes a directory such as /data/ over HTTP without authentication. This directory stores credential files for previously logged-in users. A remote unauthenticated attacker can enumerate and download files within the directory to obtain valid account usernames and passwords, leading to loss of confidentiality and further unauthorized access.

Published Nov 14, 2025 · Updated Nov 17, 2025

High · CVSS 8.7

CVE-2021-4468: PLANEX CS-QP50F-ING2 Smart Camera Remote Configuration Disclosure

PLANEX CS-QP50F-ING2 smart cameras expose a configuration backup interface over HTTP that does not require authentication. A remote, unauthenticated attacker can directly retrieve a compressed configuration backup file from the device. The backup contains sensitive configuration information, including credentials, allowing an attacker to obtain administrative access to the camera and compromise the confidentiality of the monitored environment.

Published Nov 14, 2025 · Updated Nov 17, 2025

Medium · CVSS 5.1

CVE-2021-47698: Nagios XI < 5.8.7 XSS in Core UI Views URL handling

Nagios XI versions prior to 5.8.7 using embedded Nagios Core are vulnerable to cross-site scripting (XSS) via the Core UI’s Views URL handling (escape_string()). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published Nov 3, 2025 · Updated Nov 17, 2025

Medium · CVSS 4.3

CVE-2021-41229: Memory leak in BlueZ

BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash.

Published Nov 12, 2021 · Updated Nov 4, 2025