Every CVE whose affected-product data names Etherpad, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (16)
CVE-2021-43802 — CVSS 9.9 (critical): Etherpad is a real-time collaborative editor. In versions prior to 1.8.16, an attacker can craft an `*.etherpad` file that, when imported…
CVE-2018-6835 — CVSS 9.8 (critical): node/hooks/express/apicalls.js in Etherpad Lite before v1.6.3 mishandles JSONP, which allows remote attackers to bypass intended access…
CVE-2018-9327 — CVSS 8.1 (high): Etherpad 1.5.x and 1.6.x before 1.6.4 allows an attacker to execute arbitrary code on the server. The instance has to be configured to use…
CVE-2018-9325 — CVSS 7.5 (high): Etherpad 1.5.x and 1.6.x before 1.6.4 allows an attacker to export all the existing pads of an instance without knowledge of pad names.
CVE-2020-22781 — CVSS 7.5 (high): In Etherpad < 1.8.3, a specially crafted URI would raise an unhandled exception in the cache mechanism and cause a denial of service (crash…
CVE-2020-22782 — CVSS 7.5 (high): Etherpad < 1.8.3 is affected by a denial of service in the import functionality. Upload of binary file to the import endpoint would crash…
CVE-2015-2298 — CVSS 7.5 (high): node/utils/ExportEtherpad.js in Etherpad 1.5.x before 1.5.2 might allow remote attackers to obtain sensitive information by leveraging an…
CVE-2015-3297 — CVSS 7.5 (high): Directory traversal vulnerability in node/utils/Minify.js in Etherpad 1.1.1 through 1.5.2 allows remote attackers to read arbitrary files…
CVE-2015-3309 — CVSS 7.5 (high): Directory traversal vulnerability in node/utils/Minify.js in Etherpad 1.1.2 through 1.5.4 allows remote attackers to read arbitrary files…
CVE-2015-4085 — CVSS 7.5 (high): Directory traversal vulnerability in node/hooks/express/tests.js in Etherpad frontend tests before 1.6.1.
CVE-2020-22785 — CVSS 7.5 (high): Etherpad < 1.8.3 is affected by a missing lock check which could cause a denial of service. Aggressively targeting random pad import…
CVE-2021-34816 — CVSS 7.2 (high): An Argument Injection issue in the plugin management of Etherpad 1.8.13 allows privileged users to execute arbitrary code on the server by…
CVE-2020-22783 — CVSS 6.5 (medium): Etherpad <1.8.3 stored passwords used by users insecurely in the database and in log files. This affects every database backend supported…
CVE-2019-18209 — CVSS 6.1 (medium): templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet…
CVE-2021-34817 — CVSS 6.1 (medium): A Cross-Site Scripting (XSS) issue in the chat component of Etherpad 1.8.13 allows remote attackers to inject arbitrary JavaScript or HTML…