These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2021-47980 describes a blind SQL injection in Fuel CMS 1.4.13. An authenticated attacker can abuse the Activity Log interface by supplying crafted SQL in the 'col' parameter to influence database queries and infer information through response-time differences. The supplied sources classify this as CWE-89 and rate it high severity.
CVE-2021-47978 describes a local file inclusion flaw in ProcessMaker 3.5.4 where improper path traversal validation can allow unauthenticated attackers to read arbitrary files. The supplied sources characterize the issue as a file-read problem that can expose sensitive system data, including files like /etc/passwd.
CVE-2021-47974 describes an unquoted service path weakness in VX Search 13.5.28 affecting both VX Search Server and VX Search Enterprise services. A local attacker with sufficient access can place a malicious executable in a path component that Windows may search first when the service starts or restarts, leading to code execution with LocalSystem privileges. The NVD record maps the issue to CWE-428 and r [truncated]
CVE-2021-47973 is a denial-of-service issue reported in Sticky Notes Widget 3.0.6 on iOS. The supplied corpus says an attacker can crash the app by pasting extremely long strings into note fields, including a payload of 350,000 repeated characters pasted twice into a new note.
CVE-2021-47972 describes a denial-of-service condition in Sticky Notes & Color Widgets 1.4.2. According to the supplied sources, attackers can create notes containing excessively long character strings, causing the application to crash or stop responding. The issue is mapped to CWE-789 in the source record and is rated HIGH with a CVSS score of 8.7 in the supplied NVD data.
CVE-2021-47971 is a denial-of-service vulnerability reported in My Notes Safe 5.3. According to the CVE description, an attacker can crash the application by pasting excessively long character strings into note fields; the example payload described in the record uses 350,000 repeated characters pasted twice into a new note. The NVD metadata associated with the record classifies the weakness as CWE-789 and [truncated]
CVE-2021-47970 is a denial-of-service issue in Macaron Notes 5.5 where an attacker can crash the application by pasting an excessively long string into a note field. The supplied description says a payload with about 350,000 repeated characters can trigger the crash and stop normal functionality. NVD lists the vulnerability as High severity and references both an Exploit-DB entry and a VulnCheck advisory.
CVE-2021-47969 is a high-severity denial-of-service issue in Color Notes 1.4. The supplied description says an attacker can crash the application by pasting excessively long character strings into note fields; the example payload is 350,000 repeated characters pasted twice into a new note, which can cause the app to stop responding. The supplied NVD metadata classifies the issue as network-reachable, low- [truncated]
CVE-2021-47955 describes a cross-site scripting issue in CouchCMS 2.2.1 where an authenticated attacker can upload a malicious SVG file through the file upload workflow and have embedded JavaScript execute when the file is later accessed or previewed. The supplied CVSS data rates the issue as medium severity, with user interaction required and no direct confidentiality, integrity, or availability impact r [truncated]
CVE-2021-47954 describes an unauthenticated SQL injection in LayerBB 1.1.4. The supplied record indicates attackers can abuse the search_query parameter on /search.php to manipulate database queries and extract sensitive information. In the supplied NVD record, the vulnerability is rated HIGH with a CVSS score of 8.8.
CVE-2021-47942 describes a path traversal issue in Home Assistant Community Store (HACS) 1.10.0 that allows unauthenticated attackers to read files through the /hacsfiles/ endpoint. The supplied record says the .storage/auth file may be exposed, including user credentials and refresh tokens, which can then be used to create valid JWTs and gain administrative access to Home Assistant instances. NVD’s recor [truncated]
CVE-2020-37247 describes an unquoted service path vulnerability in the KiteService Windows service. In the supplied description, a local attacker can exploit the service binary path to gain elevated privileges when the service starts. The issue is mapped to CWE-428 and carries a high severity rating in the supplied NVD data.
CVE-2020-37239 is a critical memory-safety issue in libbabl 0.1.62. A broken double-free detection check can be bypassed when allocator metadata overwrites babl's signature field after a free, allowing babl_free() to be called twice on the same pointer without triggering detection. The result is a plausible path to memory corruption and, in the worst case, code execution.
CVE-2020-37236 is an authenticated persistent cross-site scripting (XSS) issue in NewsLister. The supplied NVD record and linked advisory references describe a flaw in the news addition interface where an authenticated administrator can place JavaScript payloads into the title parameter. Because the content is stored and later rendered to other users, the injected script can execute when the affected news [truncated]
CVE-2020-37232 is a high-severity local privilege-escalation issue affecting Advanced System Care Service 13.0.0.157. The issue is described as an unquoted service path in the AdvancedSystemCareService13 service binary path, which can allow a local attacker to execute a malicious executable during service startup or system reboot with LocalSystem privileges. The supplied NVD record lists the weakness as C [truncated]
CVE-2020-37229 describes an unquoted service path vulnerability in OKI sPSV Port Manager 1.0.41 affecting the sPSVOpLclSrv service. Because the service path is not properly quoted, a local attacker can place a malicious executable in a directory searched by the service and obtain code execution with LocalSystem privileges when the service restarts or the system reboots. The NVD record lists the issue as H [truncated]
CVE-2022-50944 is a high-severity PHP code injection issue in Aero CMS 0.0.1. An authenticated attacker can abuse the image upload handling in the admin posts.php endpoint (source=add_post) to place malicious PHP content on the server, which can then be executed by the application environment.
CVE-2021-47953 describes a cross-site request forgery issue in OpenCart 3.0.3.7 affecting the account/password endpoint. If an authenticated user is tricked into submitting a crafted request with attacker-controlled password values, the application may accept the change and allow account takeover. The NVD record classifies the issue as medium severity and maps it to CWE-352.
CVE-2021-47947 is a stored cross-site scripting vulnerability in ProjectSend r1295. According to the supplied record, an authenticated attacker can submit crafted input to the files-edit.php name parameter; the payload is stored and can execute when other users view the affected file entry, including System Administrator users on the Dashboard page.
CVE-2021-47946 describes a cross-site request forgery issue in OpenCart's /account/edit flow. In the supplied CVE description, an attacker can trick a logged-in victim into visiting a malicious page that submits unauthorized account changes, including email updates. That can create a path to account takeover if the attacker then uses password reset handling against the modified account.
CVE-2021-47945 describes a local privilege escalation issue in Argus Surveillance DVR 4.0. The DVRWatchdog service uses an unquoted service path, which can allow a local attacker to influence which executable starts when the service is launched. In the supplied description, that can lead to attacker-controlled code running with LocalSystem privileges. The provided NVD record was published/modified on 2026 [truncated]
CVE-2021-47944 is a denial-of-service issue in memono Notepad 4.2. According to the supplied record, pasting very large character buffers into note fields can crash the application on iOS devices. The issue is recorded with high severity and an availability-focused impact, but the supplied corpus does not show evidence of code execution, data theft, or KEV inclusion.
CVE-2021-47943 is described in the supplied NVD record as an authenticated remote code execution issue in Textpattern CMS 4.8.7. The core risk is unsafe file upload handling: an authenticated attacker can upload a PHP file through the Files section and then invoke it from the web-accessible files directory to execute commands. The supplied record maps the weakness to CWE-434 (Unrestricted Upload of File w [truncated]
CVE-2021-47938 describes an authenticated remote code execution issue in ImpressCMS 1.4.2 affecting the autotasks administrative interface. According to the supplied record, an attacker with valid access can abuse the sat_code parameter to inject PHP code and cause server-side code execution. The NVD metadata rates the issue HIGH (CVSS 8.7) with network access, low attack complexity, low privileges, no us [truncated]
CVE-2021-47936 is a critical unauthenticated remote code execution issue in OpenCATS 0.9.4. The supplied description says attackers can upload malicious PHP disguised as resume attachments through the careers job application endpoint and then execute commands via requests to the uploaded file in the web-accessible upload directory.
CVE-2021-47928 is a high-severity SQL injection issue affecting OpenCart TMD Vendor System 3.x. According to the CVE record, an unauthenticated attacker can inject SQL through the product_id parameter and use blind techniques to extract database data, including usernames, email addresses, and password reset codes from the oc_user table. Because the issue is network-reachable, requires no authentication, a [truncated]
CVE-2021-47923 describes a critical session fixation issue in OpenCart 3.0.3.8. According to the supplied record, an attacker can inject an arbitrary OCSESSID cookie value that the server accepts and continues to honor, enabling session takeover and unauthorized access to user accounts. The NVD record maps the weakness to CWE-290 and assigns a network-reachable, no-authentication, no-user-interaction impact profile.