Apr 28, 2022 Cyber Threat Intelligence

Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.

Daily summary

  • 10 new critical disclosures — review patch status on exposed services.

Top threats today

Three highest-priority changes — analyst brief, not a CVE dump.

Critical exposure

CVE-2022-1509 Command Injection Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.12.

  • CVSS 9.9

New critical Hestiacp Control Panel Command Injection (CVSS 9.9) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Critical exposure

CVE-2021-41921 novel-plus V3.6.1 allows unrestricted file uploads.

  • CVSS 9.8
  • Remote code execution exposure

New critical Xxyopen Novel-plus RCE (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Critical exposure

CVE-2022-24449 Rt-solar Solar Appscreener SSRF

  • CVSS 9.8

New critical Rt-solar Solar Appscreener SSRF (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Active exploitation

CISA KEV — confirmed in-the-wild exploitation.

Nothing flagged in this category for this digest.

View KEV additions

Exploit & PoC activity

Nothing flagged in this category for this digest.

View new exploit links

Exploitation dynamics

Nothing flagged in this category for this digest.

See EPSS increases

New critical disclosures

CVE-2021-41921 CVSS 9.8

novel-plus V3.6.1 allows unrestricted file uploads.

CVE-2021-41945 CVSS 9.1

Encode OSS httpx < 0.23.0 is affected by improper input validation in `httpx.URL`, `httpx.Client` and some functions using `httpx.URL.cop...

CVE-2021-43932 CVSS 9

Elcomplus SmartPTT is vulnerable when an attacker injects JavaScript code into a specific parameter that can executed upon accessing the...

CVE-2021-43934 CVSS 9.8

Elcomplus SmartPTT is vulnerable as the backup and restore system does not adequately validate upload requests, enabling a malicious user...

CVE-2022-1509 CVSS 9.9

Command Injection Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.12.

CVE-2022-24449 CVSS 9.8

Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document.

CVE-2022-28101 CVSS 9

Turtlapp Turtle Note v0.7.2.6 does not filter the <meta> tag during markdown parsing, allowing attackers to execute HTML injection.

CVE-2022-28114 CVSS 9.1

DSCMS v3.0 was discovered to contain an arbitrary file deletion vulnerability via /controller/Adv.php.

CVE-2022-29081 CVSS 9.8

Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-con...

CVE-2022-29556 CVSS 9.8

The iot-manager microservice 1.0.0 in Northern.tech Mender Enterprise before 3.2.2 allows SSRF because the Azure IoT Hub integration prov...

View critical disclosures

cvelogic Threat Intelligence