🔥 Trending CVEs - Last 30 Days

This vulnerability in ImageMagick allows attackers to trigger an integer overflow when processing large UHDR images, leading to heap buffer overflow a...

This SQL injection vulnerability in WebIncorp ERP allows unauthenticated attackers to manipulate database queries through the prod_id parameter in pro...

Inventory Webapp contains an unauthenticated SQL injection vulnerability in the add-item.php endpoint. Attackers can inject malicious SQL code through...

XOOPS CMS 2.5.9 contains an unauthenticated SQL injection vulnerability in the gerar_pdf.php endpoint via the cid parameter. Attackers can execute arb...

CVE-2019-25366 is an SQL injection vulnerability in microASP Portal+ CMS that allows unauthenticated attackers to execute arbitrary SQL queries by inj...

CVE-2026-2818 is a zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality that allows attackers to write arbitrary...

A Cross-Site Scripting (XSS) vulnerability in Key Systems Inc Global Facilities Management Software allows remote attackers to inject malicious script...

CVE-2026-21535 is an improper access control vulnerability in Microsoft Teams that allows unauthorized attackers to access and disclose sensitive info...

CVE-2026-26337 is an absolute path traversal vulnerability in Hyland Alfresco Transformation Service that allows unauthenticated attackers to read arb...

MajorDoMo contains an unauthenticated SQL injection vulnerability in the commands module that allows attackers to execute arbitrary SQL queries withou...

This SQL injection vulnerability in SD.NET RIM allows attackers to execute arbitrary SQL commands through POST parameters 'idtyp' and 'idgremium' at t...

This vulnerability in OpenStack Nova allows authenticated users to trigger unsafe image resize operations by writing malicious QCOW headers to root or...

A vulnerability in Yokogawa's Vnet/IP Interface Package allows attackers to cause denial of service or execute arbitrary code by sending maliciously c...

CVE-2019-25325 is an SQL injection vulnerability in Thrive Smart Home 1.1 that allows unauthenticated attackers to bypass authentication by injecting ...

This vulnerability in Dell Update Package (DUP) Framework allows low-privileged local attackers to elevate their privileges to higher levels. It affec...

This vulnerability in Vadi Corporate Information Systems' DIGIKENT software exposes sensitive system information to unauthorized parties. It affects a...

This vulnerability in PowerDNS Recursor allows attackers to poison cached DNS delegations by sending crafted delegations or IP fragments. This affects...

A DOM-based cross-site scripting (XSS) vulnerability in JetBrains PyCharm's Jupyter viewer page allows attackers to execute arbitrary JavaScript in th...

A path traversal vulnerability in Calibre's EPUB conversion allows malicious EPUB files to corrupt arbitrary files writable by the Calibre process. At...

This vulnerability in REVA's GRPC authorization middleware allows attackers to bypass scope verification on public links. Malicious users can exploit ...

Caddy servers running versions 2.10.0 through 2.11.1 with forward_auth middleware configured are vulnerable to identity injection and privilege escala...

DSA Study Hub's authentication system stored JSON Web Tokens in HTTP cookies without cryptographic protection, allowing attackers to read and potentia...

This vulnerability allows attackers to hijack password reset links by manipulating HTTP headers. Attackers can send malicious Forwarded or X-Forwarded...

This vulnerability allows remote code execution in applications using Locutus library versions before 3.0.0. Attackers can inject arbitrary JavaScript...

This vulnerability exposes memcached session storage without authentication in WWBN AVideo's Docker configuration, allowing attackers to hijack sessio...

This CSRF vulnerability in Chamilo LMS allows attackers to trick authenticated trainers into deleting projects within courses without their consent. T...

CVE-2026-28710 allows attackers to access and manipulate sensitive information in Acronis Cyber Protect 17 due to improper authentication. This affect...

OpenClaw versions before 2026.2.2 have an authentication bypass vulnerability in the WebSocket gateway connection handshake. Attackers can connect wit...

OpenClaw versions 2026.1.29-beta.1 through 2026.2.1 contain a path traversal vulnerability in plugin installation. Attackers can craft malicious plugi...

This vulnerability in the WordPress Restrict Content plugin allows unauthenticated attackers to register with any membership level, including inactive...

This SQL injection vulnerability in Cisco Secure FMC's web management interface allows authenticated attackers to execute arbitrary SQL commands. Atta...

A heap-based buffer overflow vulnerability in libbiosig's Nicolet WFT file parser allows arbitrary code execution when processing malicious .wft files...

This vulnerability allows unauthenticated attackers to bypass authentication in WordPress sites using the User Registration & Membership plugin. Attac...

A buffer overflow vulnerability in the parallel HNSW index build functionality of pgvector allows authenticated database users to read sensitive data ...

This is a reflected Cross-site Scripting (XSS) vulnerability in Rucio's WebUI that allows attackers to steal login session tokens. Attackers can craft...

CVE-2026-22719 is a command injection vulnerability in VMware Aria Operations that allows unauthenticated attackers to execute arbitrary commands duri...

OpenEMR patient portal users can forge provider signatures by exploiting an authorization bypass in the signature upload endpoint. This affects all Op...

This path traversal vulnerability in ASUSTOR ADM FTP Backup allows attackers to access files outside the intended directory by manipulating file paths...

This vulnerability in RustFS allows attackers to bypass upload policy restrictions in presigned POST uploads, enabling unauthorized file uploads that ...

OpenEMR versions before 7.0.4 have disabled SSL/TLS certificate verification by default in their HTTP client, making all HTTPS connections vulnerable ...

An authenticated user with Installer role in REB500 can access and modify directories they are not authorized to access. This privilege escalation vul...

Zumba Json Serializer versions 3.2.2 and below allow PHP Object Injection through untrusted JSON deserialization. The library's @type field can instan...

This stored cross-site scripting (XSS) vulnerability in Statmatic CMS allows authenticated users with field management permissions to inject malicious...

FeathersJS versions 5.0.39 and below have an origin validation vulnerability where the getAllowedOrigin() function uses startsWith() for comparison, a...

This vulnerability allows unauthorized authentication in Strimzi Kafka clusters when using custom CA certificates with multi-stage chains. Attackers w...

This vulnerability allows unauthenticated remote attackers to execute arbitrary code on MLflow Tracking Server installations via directory traversal i...

This CVE describes a command injection vulnerability in Deno's node:child_process implementation that allows attackers to execute arbitrary commands o...

This vulnerability allows attackers to include local files on the server through PHP's include/require statements in the Parkivia WordPress theme. Att...

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affec...

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affec...