CVE-2021-39392
9.8 CRITICALThe management tool in MyLittleBackup up to and including 1.7 allows remote attackers to execute arbitrary code because machineKey is har...
Published: 2021-09-15 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-502
Affected products
| Vendor | Product |
|---|---|
| mylittletools | mylittlebackup |
Description
The management tool in MyLittleBackup up to and including 1.7 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-39392
- [Other]http://www.mylittlebackup.com/mlb/zip/mlb_1.7.zip
- [Other]https://gist.github.com/omriinbar/65827626e63f15e3e50557e2d9d61281
- [Other]http://www.mylittlebackup.com/mlb/zip/mlb_1.7.zip
- [Other]https://gist.github.com/omriinbar/65827626e63f15e3e50557e2d9d61281
Related CVEs
Same CWE
- CVE-2026-48775 — LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite) (6.8 MEDIUM)
- CVE-2026-10748 — An authenticated user with the nx-licensing-create privilege can upload a specially crafted license file to execute arbitrary operating s...
- CVE-2026-24228 — NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data (7.8 HIGH)
- CVE-2026-48853 — Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unau...
- CVE-2026-9691 — Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions (9.8 CRITICAL)