High severity8.8NVD Advisory· Published Jul 12, 2022· Updated Apr 7, 2026

CVE-2021-38289

Description

An issue has been discovered in Novastar-VNNOX-iCare Novaicare 7.16.0 that gives attacker privilege escalation and allows attackers to view corporate information and SMTP server details, delete users, view roles, and other unspecified impacts. NOTE: As of April 2026, the vendor has officially decommissioned the affected legacy endpoints and associated services. The vulnerability is mitigated as the functional logic is no longer operational and the URLs have been removed from production.

Affected products

Novastar/Novaicare
cpe:2.3:a:novastar:novaicare:7.16.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

twitter.com/viperbluff/status/1439941380244230150nvdExploitThird Party Advisory
security.novaicare.com/advisory-cve-2021-38289.htmlnvd

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000