Security Bulletins

Active threat advisories and known exploited vulnerabilities.

Pulled daily from the CISA Known Exploited Vulnerabilities catalog. Every entry has confirmed active exploitation in the wild. Last synced Jun 12, 2026.

1,619 total bulletins 1,619 critical or high severity Source: CISA KEV + NVD
All 1,619 Critical 1,619 High 0 Medium 0 Low 0 1,619 entries
Critical CVE-2021-37415 Zoho · ManageEngine ServiceDesk Plus (SDP) Added Dec 1, 2021

Zoho ManageEngine ServiceDesk Authentication Bypass Vulnerability

Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2021-40438 Apache · Apache Added Dec 1, 2021

Apache HTTP Server-Side Request Forgery (SSRF)

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2021-44077 Zoho · ManageEngine ServiceDesk Plus (SDP) / SupportCenter Plus Added Dec 1, 2021

Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2021-22204 Perl · Exiftool Added Nov 17, 2021

ExifTool Remote Code Execution Vulnerability

Improper neutralization of user data in the DjVu file format in Exiftool versions 7.44 and up allows arbitrary code execution when parsing the malicious image

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2021-40449 Microsoft · Windows Added Nov 17, 2021

Microsoft Windows Win32k Privilege Escalation Vulnerability

Unspecified vulnerability allows for an authenticated user to escalate privileges.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2021-42321 Microsoft · Exchange Added Nov 17, 2021

Microsoft Exchange Server Remote Code Execution Vulnerability

An authenticated attacker could leverage improper validation in cmdlet arguments within Microsoft Exchange and perform remote code execution.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2021-42292 Microsoft · Office Added Nov 17, 2021

Microsoft Excel Security Feature Bypass

A security feature bypass vulnerability in Microsoft Excel would allow a local user to perform arbitrary code execution.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2021-27104 Accellion · FTA Added Nov 3, 2021

Accellion FTA OS Command Injection Vulnerability

Accellion FTA contains an OS command injection vulnerability exploited via a crafted POST request to various admin endpoints.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2021-27102 Accellion · FTA Added Nov 3, 2021

Accellion FTA OS Command Injection Vulnerability

Accellion FTA contains an OS command injection vulnerability exploited via a local web service call.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2021-27101 Accellion · FTA Added Nov 3, 2021

Accellion FTA SQL Injection Vulnerability

Accellion FTA contains a SQL injection vulnerability exploited via a crafted host header in a request to document_root.html.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2021-27103 Accellion · FTA Added Nov 3, 2021

Accellion FTA Server-Side Request Forgery (SSRF) Vulnerability

Accellion FTA contains a server-side request forgery (SSRF) vulnerability exploited via a crafted POST request to wmProgressstat.html.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2021-21017 Adobe · Acrobat and Reader Added Nov 3, 2021

Adobe Acrobat and Reader Heap-based Buffer Overflow Vulnerability

Acrobat Acrobat and Reader contain a heap-based buffer overflow vulnerability that could allow an unauthenticated attacker to achieve code execution in the context of the current user.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2021-28550 Adobe · Acrobat and Reader Added Nov 3, 2021

Adobe Acrobat and Reader Use-After-Free Vulnerability

Adobe Acrobat and Reader contains a use-after-free vulnerability that could allow an unauthenticated attacker to achieve code execution in the context of the current user.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2018-4939 Adobe · ColdFusion Added Nov 3, 2021

Adobe ColdFusion Deserialization of Untrusted Data Vulnerability

Adobe ColdFusion contains a deserialization of untrusted data vulnerability that could allow for code execution.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2018-15961 Adobe · ColdFusion Added Nov 3, 2021

Adobe ColdFusion Unrestricted File Upload Vulnerability

Adobe ColdFusion contains an unrestricted file upload vulnerability that could allow for code execution.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2018-4878 Adobe · Flash Player Added Nov 3, 2021

Adobe Flash Player Use-After-Free Vulnerability

Adobe Flash Player contains a use-after-free vulnerability that could allow for code execution.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2020-5735 Amcrest · Cameras and Network Video Recorder (NVR) Added Nov 3, 2021

Amcrest Cameras and NVR Stack-based Buffer Overflow Vulnerability

Amcrest cameras and NVR contain a stack-based buffer overflow vulnerability through port 37777 that allows an unauthenticated, remote attacker to crash the device and possibly execute code.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2019-2215 Android · Android Kernel Added Nov 3, 2021

Android Kernel Use-After-Free Vulnerability

Android Kernel contains a use-after-free vulnerability in binder.c that allows for privilege escalation from an application to the Linux Kernel. This vulnerability was observed chained with CVE-2020-0041 and CVE-2020-0069 under exploit chain "AbstractEmu."

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2020-0041 Android · Android Kernel Added Nov 3, 2021

Android Kernel Out-of-Bounds Write Vulnerability

Android Kernel binder_transaction of binder.c contains an out-of-bounds write vulnerability due to an incorrect bounds check that could allow for local privilege escalation. This vulnerability was observed chained with CVE-2019-2215 and CVE-2020-0069 under exploit chain "AbstractEmu."

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2020-0069 MediaTek · Multiple Chipsets Added Nov 3, 2021

Mediatek Multiple Chipsets Insufficient Input Validation Vulnerability

Multiple MediaTek chipsets contain an insufficient input validation vulnerability and have missing SELinux restrictions in the Command Queue drivers ioctl handlers. This causes an out-of-bounds write leading to privilege escalation. This vulnerability was observed chained with CVE-2019-2215 and CVE-2020-0041 under exploit chain "AbstractEmu."

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2017-9805 Apache · Struts Added Nov 3, 2021

Apache Struts Deserialization of Untrusted Data Vulnerability

Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2021-42013 Apache · HTTP Server Added Nov 3, 2021

Apache HTTP Server Path Traversal Vulnerability

Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured by Alias-like directives are not under default require all denied or if CGI scripts are enabled. This CVE ID resolves an incomplete patch for CVE-2021-41773.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2021-41773 Apache · HTTP Server Added Nov 3, 2021

Apache HTTP Server Path Traversal Vulnerability

Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured by Alias-like directives are not under default �require all denied� or if CGI scripts are enabled. The original patch issued under this CVE ID is insufficient, please review remediation information under CVE-2021-42013.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2019-0211 Apache · HTTP Server Added Nov 3, 2021

Apache HTTP Server Privilege Escalation Vulnerability

Apache HTTP Server, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute code with the privileges of the parent process (usually root) by manipulating the scoreboard.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2016-4437 Apache · Shiro Added Nov 3, 2021

Apache Shiro Code Execution Vulnerability

Apache Shiro contains a vulnerability which may allow remote attackers to execute code or bypass intended access restrictions via an unspecified request parameter when a cipher key has not been configured for the "remember me" feature.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Need help prioritizing these vulnerabilities?

ThreatGrid can assess your environment and map active CVEs to your monitored assets.