🔥 Trending CVEs - Last 30 Days

CVE-2026-0848 allows arbitrary code execution in NLTK versions <=3.9.2 due to improper input validation in the StanfordSegmenter module. Attackers can...

This critical authentication bypass vulnerability in pac4j-jwt allows attackers with the server's RSA public key to forge JWT authentication tokens an...

This critical vulnerability in Cisco Secure Firewall Management Center allows unauthenticated remote attackers to execute arbitrary Java code with roo...

An authentication bypass vulnerability in Cisco Secure Firewall Management Center (FMC) allows unauthenticated remote attackers to execute arbitrary s...

This CVE describes a patch bypass vulnerability in FreeScout help desk software that allows authenticated users with file upload permissions to achiev...

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx callback endpoint. Any unauthenticated visitor ca...

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager allows unauthenticated remote attackers to gain admi...

CVE-2026-27597 is a critical sandbox escape vulnerability in Enclave, a secure JavaScript sandbox for AI agent code execution. Attackers can bypass se...

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect boundary conditions. Attackers could potentially b...

This CVE describes a sandbox escape vulnerability in Firefox's DOM Core & HTML component due to incorrect boundary conditions. It allows malicious web...

This CVE describes a sandbox escape vulnerability in Firefox's IndexedDB storage component. Attackers could potentially break out of browser security ...

This CVE describes a sandbox escape vulnerability in Firefox's WebRender graphics component due to incorrect boundary conditions. It allows attackers ...

The ElementsKit Lite WordPress plugin versions before 3.7.9 expose an unauthenticated REST endpoint that accepts Mailchimp API credentials. Unauthenti...

Cloud Hypervisor versions 34.0 through 50.0 are vulnerable to host file exfiltration when using virtio-block devices with raw images. A malicious gues...

This vulnerability allows remote attackers to execute arbitrary operating system commands on PROLiNK PRC2402M routers by injecting shell metacharacter...

CVE-2025-30412 allows attackers to bypass authentication mechanisms in Acronis Cyber Protect, potentially leading to unauthorized access, sensitive da...

This critical vulnerability in NLTK's downloader component allows remote code execution when users download malicious zip packages. Attackers can craf...

Dell RecoverPoint for Virtual Machines versions before 6.0.3.1 HF1 contain hardcoded credentials that allow unauthenticated remote attackers to gain r...

This zip slip vulnerability in MojoPortal CMS allows attackers to upload malicious zip files that extract to arbitrary locations on the server, potent...

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the Docker API deployment. Attackers can send malicio...

A path traversal vulnerability in the ZBT WE2001 router's check_token function allows remote attackers to bypass authentication by manipulating sessio...

CVE-2026-25632 is a critical remote code execution vulnerability in EPyT-Flow's REST API. Attackers can send malicious JSON payloads that trigger dyna...

CVE-2026-25641 is a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attackers can bypass JavaScript sandbox restrictions by ...

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers to obtain the host's Function constructor and exec...

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attackers can bypass JavaScript sandboxing by shadowing...

CVE-2026-25587 is a critical sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attackers can overwrite Map.prototype.has to br...

This vulnerability allows malicious code running inside Claude Code's sandbox to create a missing settings.json file and inject persistent hooks that ...

This vulnerability in Go's crypto/tls package allows TLS session resumption to succeed when it should fail due to certificate authority configuration ...

This vulnerability allows authenticated attackers with workflow write access in one project to create and manage sites on servers belonging to other p...

OpenClaw gateway versions before 2026.2.14 have an authorization bypass vulnerability where authenticated clients can manipulate node.invoke parameter...

This vulnerability allows attackers with read/write access to Vitess backup storage locations to manipulate backup manifest files, leading to arbitrar...

This vulnerability in OpenLIT's GitHub Actions workflows allows attackers to execute arbitrary code with repository write privileges and access sensit...

This vulnerability in n8n allows authenticated users with workflow creation/modification permissions to escape the JavaScript Task Runner sandbox and ...

OpenEMR versions before 8.0.0 contain an SQL injection vulnerability in the Patient REST API endpoint that allows authenticated users with API access ...

CVE-2026-27728 is an OS command injection vulnerability in OneUptime's NetworkPathMonitor.performTraceroute() function that allows authenticated proje...

This CVE describes a critical server-side JavaScript injection vulnerability in Budibase Cloud (SaaS) that allows any authenticated user to execute ar...

This CVE allows attackers to manipulate PersistentVolume path patterns to create volumes in arbitrary host node locations, potentially overwriting sen...

CVE-2026-27626 allows authenticated users to execute arbitrary OS commands on OliveTin hosts by injecting shell metacharacters through password-type a...

CVE-2026-24849 is an arbitrary file read vulnerability in OpenEMR's EtherFaxActions.php. Any authenticated user, regardless of privilege level, can ex...

CVE-2026-27574 allows remote code execution in OneUptime monitoring software. Any user with ProjectMember role (including anonymous users via open reg...

This vulnerability allows attackers to upload malicious files to WordPress sites using the Bravis Addons plugin. It affects all WordPress installation...

This vulnerability allows attackers to upload malicious files, including web shells, to servers running the Wiguard WordPress theme. It affects all ve...

Microsoft Semantic Kernel Python SDK versions before 1.39.4 contain a remote code execution vulnerability in the InMemoryVectorStore filter functional...

This CVE describes a Server-Side Template Injection vulnerability in Datart's Freemarker template engine that allows authenticated attackers to execut...

An authenticated attacker in SAP CRM and SAP S/4HANA can exploit a flaw in the Scripting Editor's generic function module to execute arbitrary SQL sta...

This vulnerability in GitLab AI Gateway allows attackers to execute arbitrary code or cause denial of service through insecure template expansion in D...

OpenProject versions before 16.6.7 and 17.0.3 contain an arbitrary file write vulnerability that can lead to remote code execution. Attackers with rep...

CVE-2026-25592 is an arbitrary file write vulnerability in Microsoft's Semantic Kernel .NET SDK that allows attackers to write files to arbitrary loca...

This critical vulnerability allows unauthenticated attackers to read and write sensitive files via AppEngine's HTTP-based file access feature. Attacke...

CVE-2026-29058 is a critical remote code execution vulnerability in AVideo video-sharing platform where unauthenticated attackers can execute arbitrar...