🚀 Just released:
Latio 2026 Application Security Market Report.
Read it in our Whitepapers.
100% Signal 0% Noise
Platform
Invicti Platform
Zero-noise AppSec platform
Scan Code
Secure code before runtime
SAST
Early static security analysis
Open Source (SCA)
Find vulnerable dependencies
SBOM & License Risk
Generate SBOMs and track licenses
Secrets
Detect exposed secrets in applications
Infrastructure as Code
Ingest IaC security findings
Container
Track container image vulnerabilities
Test Runtime
Test live applications like attackers
DAST & AI DAST
Test runtime, prove exploitability
Agentic Pentesting
Automate real-world attack techniques
API Security Testing
Discover and test APIs
Attack Surface Management
Identify exposed apps and endpoints
Cloud AppSec
Get a single-pane view of cloud app risk
AI AppSec
Scan smarter, accelerate remediation
Manage Vulnerabilities
See, prioritize, reduce AppSec risk
Vulnerability Management (ASPM)
Centralize and correlate AppSec findings
Compliance & Executive Reporting
Measure risk and impact
Threat Intelligence
Reachability, exploitability, and business logic
Solutions
API Discovery
Manage Vulnerabilities
Automate Security Workflows
Track AppSec KPIs
Manage Open Source Risk
Pricing
Why Invicti
About Us
Case Studies
Contact Us
Careers
Resources
Resource Library
Blog
Webinars
White Papers
Podcasts
Invicti Learn
Savings Calculator
Live Training
Partners
Documentation
Get a demo
Home
/
Web Application Vulnerabilities
/ High Severity
Web Application Vulnerabilities
Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise
Acunetix Standard & Premium
v.26.4.2314
High Severity Vulnerabilities
Found
13053 vulnerabilities
at
High
severity.
Vulnerability Name
CVE
CWE
Severity
Unauthenticated OGNL injection in Confluence Server and Data Center
CVE-2021-26084
CWE-917
High
Dragonfly Arbitrary File Read/Write (CVE-2021-33564)
CVE-2021-33564
CWE-20
High
Ghost CMS Theme Preview XSS (CVE-2021-29484)
CVE-2021-29484
CWE-79
High
GoCD information disclosure (CVE-2021-43287)
CVE-2021-43287
CWE-200
High
Grav CMS Unauthenticated RCE (CVE-2021-21425)
CVE-2021-21425
CWE-284
High
Laravel Terminal open
-
CWE-200
High
ManageEngine ADSelfService Plus Authentication Bypass (CVE-2021-40539)
CVE-2021-40539
CWE-287
High
Oracle E-Business Suite Information Disclosure
-
CWE-200
High
Apache OFBiz SOAPService Deserialization RCE
CVE-2021-26295
CWE-502
High
Request Smuggling
-
CWE-444
High
RethinkDB administrative interface publicly exposed
-
CWE-200
High
SearchBlox Local File Inclusion (CVE-2020-35580)
CVE-2020-35580
CWE-22
High
Sitecore XP Deserialization RCE (CVE-2021-42237)
CVE-2021-42237
CWE-502
High
Apache Tapestry Unauthenticated RCE (CVE-2019-0195, CVE-2021-27850)
CVE-2021-27850
CWE-200
High
VMware vRealize Operations Server Side Request Forgery (SSRF) vulnerability
CVE-2021-21975
CWE-918
High
Web Cache Poisoning via semicolon query separator
-
CWE-44
High
Deserialization of Untrusted Data (XStream)
CVE-2020-26217
CWE-502
High
Zimbra Collaboration Suite SSRF (CVE-2020-7796)
CVE-2020-7796
CWE-918
High
Vulnerable package dependencies [high]
-
CWE-1104
High
Apache Airflow Experimental API Auth Bypass CVE-2020-13927
CVE-2020-13927
CWE-200
High
Apache Airflow default credentials
-
CWE-798
High
Apache Airflow Unauthorized Access Vulnerability
-
CWE-200
High
Apache Flink jobmanager/logs Path Traversal
CVE-2020-17519
CWE-22
High
Apache HTTP Server Insecure Path Normalization (CVE-2021-41773, CVE-2021-42013)
CVE-2021-41773
CWE-22
High
Apache HTTP Server mod_proxy SSRF (CVE-2021-40438)
CVE-2021-40438
CWE-918
High
Apache Shiro authentication bypass
CVE-2020-17523
CWE-287
High
BuddyPress REST API Privilege Escalation
CVE-2021-21389
CWE-269
High
Unrestricted access to Caddy API interface
-
CWE-200
High
Client Side Template Injection
-
CWE-116
High
Delve Debugger Unauthorized Access Vulnerability
-
CWE-200
High
ExpressJs Local File Read via the layout parameter
-
CWE-22
High
F5 iControl REST unauthenticated remote command execution vulnerability
CVE-2021-22986
CWE-78
High
ForgeRock AM / OpenAM Deserialization RCE (CVE-2021-35464)
CVE-2021-35464
CWE-502
High
ForgeRock OpenAM Deserialization RCE (CVE-2021-29156)
CVE-2021-29156
CWE-502
High
GitLab ExifTool RCE (CVE-2021-22205)
CVE-2021-22205
CWE-918
High
Grafana Plugin Dir Traversal (CVE-2021-43798)
CVE-2021-43798
CWE-200
High
Grandnode Path Traversal (CVE-2019-12276)
CVE-2019-12276
CWE-22
High
Unrestricted access to Haproxy Data Plane API
-
CWE-200
High
HTTP/2 pseudo-header server side request forgery
-
CWE-918
High
Web Cache Poisoning through HTTP/2 pseudo-headers
-
CWE-44
High
Unrestricted access to Kong Gateway API
-
CWE-200
High
Lucee Server Arbitrary File Creation
CVE-2021-21307
CWE-22
High
Microsoft Exchange Server Server-Side Request Forgery (SSRF) vulnerability
CVE-2021-26855
CWE-918
High
Microsoft Exchange Server Pre-auth Path Confusion vulnerability (CVE-2021-34473)
CVE-2021-34473
CWE-918
High
SSRF via logo_uri in MITREid Connect
CVE-2021-26715
CWE-918
High
Alibaba Nacos Authentication Bypass (CVE-2021-29441)
CVE-2021-29441
CWE-287
High
Node.js Debugger Unauthorized Access Vulnerability
-
CWE-200
High
Node.js Inspector Unauthorized Access Vulnerability
-
CWE-200
High
ntopng Authentication Bypass (CVE-2021-28073)
CVE-2021-28073
CWE-287
High
Reflected Cross-Site Scripting (XSS) vulnerability in PAN-OS management web interface
CVE-2020-2036
CWE-79
High
Python Debugger Unauthorized Access Vulnerability
-
CWE-200
High
qdPM Information Disclosure
-
CWE-260
High
SAML Consumer Service XML entity injection (XXE)
-
CWE-611
High
Missing Authentication Check in SAP Solution Manager
CVE-2020-6207
CWE-287
High
SonicWall SSL-VPN 8.0.0.0 RCE via ShellShock exploit
-
CWE-78
High
spring-boot-actuator-logview Path Traversal
CVE-2021-21234
CWE-22
High
Virtual Host locations misconfiguration
-
CWE-200
High
VMware vCenter Server Unauthorized Remote Code Execution
CVE-2021-21972
CWE-78
High
AjaxPro.NET Professional Deserialization RCE (CVE-2021-23758)
CVE-2021-23758
CWE-502
High
ASP.NET connection strings stored in plaintext
-
CWE-312
High
Authentication bypass via MongoDB operator injection
-
CWE-943
High
Bonita Authorization Bypass (CVE-2022-25237)
CVE-2022-25237
CWE-863
High
Unauthenticated remote code execution vulnerability in Confluence Server and Data Center
CVE-2022-26134
CWE-917
High
DotCMS unrestricted file upload (CVE-2022-26352)
CVE-2022-26352
CWE-434
High
.NET JSON.NET Deserialization RCE
-
CWE-502
High
Email Header Injection (Invicti IAST)
-
CWE-20
High
Jenkins Git Plugin missing permission check (CVE-2022-36883)
CVE-2022-36883
CWE-862
High
ManageEngine Desktop Central Deserialization RCE (CVE-2020-10189)
CVE-2020-10189
CWE-502
High
Metabase Local File Inclusion (CVE-2021-41277)
CVE-2021-41277
CWE-200
High
MongoDB $where operator JavaScript injection
-
CWE-943
High
Unsafe use of Reflection
-
CWE-470
High
Apache Solr Log4Shell RCE
CVE-2021-44228
CWE-78
High
BillQuick Web Suite SQL injection (CVE-2021-42258)
CVE-2021-42258
CWE-89
High
elFinder RCE (CVE-2021-32682)
CVE-2021-32682
CWE-22
High
Fortinet Authentication bypass on administrative interface
CVE-2022-40684
CWE-288
High
« Previous
1
...
4
5
6
7
8
9
10
11
...
175
Next »
