Security Bulletins

Active threat advisories and known exploited vulnerabilities.

Pulled daily from the CISA Known Exploited Vulnerabilities catalog. Every entry has confirmed active exploitation in the wild. Last synced Jun 18, 2026.

1,623 total bulletins 1,623 critical or high severity Source: CISA KEV + NVD
All 1,623 Critical 1,623 High 0 Medium 0 Low 0 1,623 critical entries
Critical CVE-2020-14883 Oracle · WebLogic Server Added Nov 3, 2021

Oracle WebLogic Server Unspecified Vulnerability

Oracle WebLogic Server contains an unspecified vulnerability in the Console component with high impacts to confidentilaity, integrity, and availability.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2020-8644 PlaySMS · PlaySMS Added Nov 3, 2021

PlaySMS Server-Side Template Injection Vulnerability

PlaySMS contains a server-side template injection vulnerability that allows for remote code execution.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2019-18935 Progress · Telerik UI for ASP.NET AJAX Added Nov 3, 2021

Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability

Progress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the server in the context of the w3wp.exe process.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2021-22893 Ivanti · Pulse Connect Secure Added Nov 3, 2021

Ivanti Pulse Connect Secure Use-After-Free Vulnerability

Ivanti Pulse Connect Secure contains a use-after-free vulnerability that allow a remote, unauthenticated attacker to execute code via license services.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2020-8243 Ivanti · Pulse Connect Secure Added Nov 3, 2021

Ivanti Pulse Connect Secure Code Execution Vulnerability

Ivanti Pulse Connect Secure contains an unspecified vulnerability in the admin web interface that could allow an authenticated attacker to upload a custom template to perform code execution.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2021-22900 Ivanti · Pulse Connect Secure Added Nov 3, 2021

Ivanti Pulse Connect Secure Unrestricted File Upload Vulnerability

Ivanti Pulse Connect Secure contains an unrestricted file upload vulnerability that allows an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2021-22894 Ivanti · Pulse Connect Secure Added Nov 3, 2021

Ivanti Pulse Connect Secure Collaboration Suite Buffer Overflow Vulnerability

Ivanti Pulse Connect Secure Collaboration Suite contains a buffer overflow vulnerabilities that allows a remote authenticated users to execute code as the root user via maliciously crafted meeting room.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2020-8260 Ivanti · Pulse Connect Secure Added Nov 3, 2021

Ivanti Pulse Connect Secure Code Execution Vulnerability

Pulse Connect Secure contains an unspecified vulnerability that allows an authenticated attacker to perform code execution using uncontrolled gzip extraction.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2021-22899 Ivanti · Pulse Connect Secure Added Nov 3, 2021

Ivanti Pulse Connect Secure Command Injection Vulnerability

Ivanti Pulse Connect Secure contains a command injection vulnerability that allows remote authenticated users to perform remote code execution via Windows File Resource Profiles.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2019-11510 Ivanti · Pulse Connect Secure Added Nov 3, 2021

Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability

Ivanti Pulse Connect Secure contains an arbitrary file read vulnerability that allows an unauthenticated remote attacker with network access via HTTPS to send a specially crafted URI.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2019-11539 Ivanti · Pulse Connect Secure and Pulse Policy Secure Added Nov 3, 2021

Ivanti Pulse Connect Secure and Policy Secure Command Injection Vulnerability

Ivanti Pulse Connect Secure and Policy Secure allows an authenticated attacker from the admin web interface to inject and execute commands.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2021-1906 Qualcomm · Multiple Chipsets Added Nov 3, 2021

Qualcomm Multiple Chipsets Detection of Error Condition Without Action Vulnerability

Multiple Qualcomm chipsets contain a detection of error condition without action vulnerability when improper handling of address deregistration on failure can lead to new GPU address allocation failure.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2021-1905 Qualcomm · Multiple Chipsets Added Nov 3, 2021

Qualcomm Multiple Chipsets Use-After-Free Vulnerability

Multiple Qualcomm Chipsets contain a use after free vulnerability due to improper handling of memory mapping of multiple processes simultaneously.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2020-10221 rConfig · rConfig Added Nov 3, 2021

rConfig OS Command Injection Vulnerability

rConfig lib/ajaxHandlers/ajaxAddTemplate.php contains an OS command injection vulnerability that allows remote attackers to execute OS commands via shell metacharacters in the fileName POST parameter.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2021-35395 Realtek · AP-Router SDK Added Nov 3, 2021

Realtek AP-Router SDK Buffer Overflow Vulnerability

Realtek AP-Router SDK HTTP web server boa contains a buffer overflow vulnerability due to unsafe copies of some overly long parameters submitted in the form that lead to denial-of-service (DoS).

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2017-16651 Roundcube · Roundcube Webmail Added Nov 3, 2021

Roundcube Webmail File Disclosure Vulnerability

Roundcube Webmail contains a file disclosure vulnerability caused by insufficient input validation in conjunction with file-based attachment plugins, which are used by default.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2020-11652 SaltStack · Salt Added Nov 3, 2021

SaltStack Salt Path Traversal Vulnerability

SaltStack Salt contains a path traversal vulnerability in the salt-master process ClearFuncs which allows directory access to authenticated users. Salt users who follow fundamental internet security guidelines and best practices are not affected by this vulnerability.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2020-11651 SaltStack · Salt Added Nov 3, 2021

SaltStack Salt Authentication Bypass Vulnerability

SaltStack Salt contains an authentication bypass vulnerability in the salt-master process ClearFuncs due to improperly validating method calls. The vulnerability allows a remote user to access some methods without authentication, which can be used to retrieve user tokens from the salt master and/or run commands on salt minions. Salt users who follow fundamental internet security guidelines and best practices are not affected by this vulnerability.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2020-16846 SaltStack · Salt Added Nov 3, 2021

SaltStack Salt Shell Injection Vulnerability

SaltStack Salt allows an unauthenticated user with network access to the Salt API to use shell injections to run code on the Salt API using the SSH client. This vulnerability affects any users running the Salt API.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2018-2380 SAP · Customer Relationship Management (CRM) Added Nov 3, 2021

SAP Customer Relationship Management (CRM) Path Traversal Vulnerability

SAP Customer Relationship Management (CRM) contains a path traversal vulnerability that allows an attacker to exploit insufficient validation of path information provided by users.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2010-5326 SAP · NetWeaver Added Nov 3, 2021

SAP NetWeaver Remote Code Execution Vulnerability

SAP NetWeaver Application Server Java Platforms Invoker Servlet does not require authentication, allowing for remote code execution via a HTTP or HTTPS request.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2016-9563 SAP · NetWeaver Added Nov 3, 2021

SAP NetWeaver XML External Entity (XXE) Vulnerability

SAP NetWeaver Application Server Java Platforms contains an unspecified vulnerability in BC-BMT-BPM-DSK which allows remote, authenticated users to conduct XML External Entity (XXE) attacks.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2020-6287 SAP · NetWeaver Added Nov 3, 2021

SAP NetWeaver Missing Authentication for Critical Function Vulnerability

SAP NetWeaver Application Server Java Platforms contains a missing authentication for critical function vulnerability allowing unauthenticated access to execute configuration tasks and create administrative users.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2020-6207 SAP · Solution Manager Added Nov 3, 2021

SAP Solution Manager Missing Authentication for Critical Function Vulnerability

SAP Solution Manager User Experience Monitoring contains a missing authentication for critical function vulnerability which results in complete compromise of all SMDAgents connected to the Solution Manager.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2016-3976 SAP · NetWeaver Added Nov 3, 2021

SAP NetWeaver Directory Traversal Vulnerability

SAP NetWeaver Application Server Java Platforms contains a directory traversal vulnerability via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet. This allows remote attackers to read files.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Need help prioritizing these vulnerabilities?

ThreatGrid can assess your environment and map active CVEs to your monitored assets.