How severe is CVE-2021-26291?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.1 out of 10.

What type of vulnerability is CVE-2021-26291?

This is classified as CWE-346, which is a common weakness in software security.

CVE-2021-26291

CRITICAL Year: 2021

CVSS v3 Score

9.1

Critical

CVSS v2 Score

6.4

Medium

Weakness Type

CWE-346

View all →

Vulnerability Description

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html

CVE-2017-6519

CRITICAL

CVSS:9.1(Critical)

avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service (traf...

CWE-3462017

CVE-2018-5400

CRITICAL

CVSS:9.1(Critical)

The Auto-Maskin products utilize an undocumented custom protocol to set up Modbus communications with other devices without validating those devices. The originating device sends a message in plaintex...

CWE-3462018

CVE-2019-25211

CRITICAL

CVSS:9.1(Critical)

parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://...

CWE-3462019

CVE-2021-39185

CRITICAL

CVSS:9.1(Critical)

Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configur...

CWE-3462021

CVE-2021-44935

CRITICAL

CVSS:9.1(Critical)

glFusion CMS v1.7.9 is affected by an arbitrary user impersonation vulnerability in /public_html/comment.php. The attacker can complete the attack remotely without interaction.

CWE-3462021

CVE-2025-25306

CRITICAL

CVSS:9.3(Critical)

Misskey is an open source, federated social media platform. The patch for CVE-2024-52591 did not sufficiently validate the relation between the `id` and `url` fields of ActivityPub objects. An attacke...

CWE-3462025

CVE-2021-26291

Vulnerability Description

Related Vulnerabilities

CVE-2017-6519

CVE-2018-5400

CVE-2019-25211

CVE-2021-39185

CVE-2021-44935

CVE-2025-25306