🔥 Trending CVEs - Last 90 Days

This SQL injection vulnerability in the WooCommerce Orders & Customers Exporter plugin allows attackers to execute arbitrary SQL commands on WordPress...

CVE-2025-14360 is a missing authorization vulnerability in the Kaira Blockons WordPress plugin that allows attackers to access functionality not prope...

This vulnerability allows attackers to include local PHP files through improper filename control in the ThemeMove AeroLand WordPress theme. Attackers ...

This CVE describes a PHP Local File Inclusion vulnerability in the Brook WordPress theme that allows attackers to include arbitrary local files via im...

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affec...

This CVE describes a PHP Local File Inclusion vulnerability in the OchaHouse WordPress theme that allows attackers to include arbitrary local files th...

This CVE describes a missing authorization vulnerability in the REHub Framework WordPress plugin that allows attackers to access functionality not pro...

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affec...

This CVE describes a PHP Local File Inclusion vulnerability in the Rozy - Flower Shop WordPress theme. Attackers can include arbitrary local files via...

ClipBucket v5 versions 5.5.2-#187 and below contain a blind SQL injection vulnerability in the comment functionality. Attackers can exploit this by in...

This CVE describes a critical stack-based buffer overflow vulnerability in Panda3D's egg-mkfont tool. Attackers can exploit this by supplying an exces...

This CVE describes a global buffer overflow vulnerability in zlib's untgz utility when processing excessively long archive names via command line. The...

CVE-2025-68705 is a path traversal vulnerability in RustFS's /rustfs/rpc/read_file_stream endpoint that allows attackers to read arbitrary files on th...

An authentication bypass vulnerability in Tarkov Data Manager allows unauthenticated attackers to gain full admin access by exploiting JavaScript prot...

This CVE describes a PHP object injection vulnerability in the DZS Video Gallery WordPress plugin that allows attackers to execute arbitrary code thro...

The Optional Email WordPress plugin contains a privilege escalation vulnerability that allows unauthenticated attackers to reset any user's password, ...

This CVE describes a remote command injection vulnerability in TRENDnet TEW-713RE routers. Attackers can execute arbitrary operating system commands b...

A critical authentication bypass vulnerability in wolfSSH's key exchange state machine allows attackers to manipulate the authentication process. This...

Blue Access Cobalt v02.000.195 has an authentication bypass vulnerability that allows attackers to proxy requests and access web application functiona...

This CVE describes a Missing Authorization vulnerability in the InWave Jobs WordPress plugin that allows attackers to bypass access controls. Attacker...

A vsftpd misconfiguration vulnerability in H3C wireless devices allows anonymous FTP uploads to be owned by the root user. Remote attackers can exploi...

This vulnerability allows unauthenticated attackers to download the core configuration file from NJHYST HY511 POE devices, extract MD5-hashed password...

CVE-2026-21675 is a use-after-free vulnerability in iccDEV's CIccXform::Create() function that can lead to arbitrary code execution. This affects appl...

This CVE describes an authentication bypass vulnerability in TECNO Mobile's Boomplayer app. Attackers can bypass authentication mechanisms due to insu...

The Crypt::Sodium::XS Perl module includes a vulnerable version of libsodium that mishandles elliptic curve point validation in certain custom cryptog...

An authentication bypass vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows attackers to access protected functionality without vali...

This vulnerability in Nuvation Energy Multi-Stack Controller allows the device to act as an unintended proxy or intermediary, potentially bridging net...

Bagisto eCommerce platforms running versions before 2.3.10 are vulnerable to server-side template injection via the type parameter. This allows attack...

Bagisto eCommerce platform versions before 2.3.10 are vulnerable to server-side template injection that can lead to remote code execution. When custom...

Bagisto eCommerce platform versions before 2.3.10 have unprotected API endpoints that remain accessible after installation. Unauthenticated attackers ...

An SQL injection vulnerability in Hyper Data Protector allows remote attackers to execute unauthorized SQL commands. This affects all systems running ...

This vulnerability in gpsd allows attackers to trigger heap-based out-of-bounds writes by sending specially crafted NMEA2000 PGN 129540 packets with e...

This critical vulnerability in Malware Remover allows remote attackers to bypass security protections through improper code generation control. Attack...

This SQL injection vulnerability in the online-movie-booking system allows attackers to execute arbitrary SQL commands through the movie_details.php e...

The Branda WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to reset passwords for any user account, ...

CVE-2025-69286 is a critical authentication bypass vulnerability in RAGFlow where API keys and beta tokens are generated using the same insecure algor...

A stack-based buffer overflow vulnerability in libcoap allows remote attackers to crash applications or potentially execute arbitrary code when proxy ...

This critical vulnerability in Ksenia Security Lares 4.0 Home Automation version 1.6 exposes the alarm system PIN in server responses after authentica...

Ksenia Security Lares 4.0 Home Automation version 1.6 contains hardcoded default administrative credentials. Attackers can use these weak default cred...

CVE-2023-53983 allows attackers to gain full administrative control of Anevia Flamingo XL/XS devices by exploiting weak default credentials. This affe...

CVE-2023-54327 is an authentication bypass vulnerability in Tinycontrol LAN Controller 1.58a that allows unauthenticated attackers to change administr...

JM-DATA ONU JF511-TV devices running version 1.0.67 have hardcoded default administrative credentials that cannot be changed. Attackers can use these ...

This vulnerability allows unauthenticated attackers to execute arbitrary system commands on SOUND4 IMPACT/FIRST/PULSE/Eco systems by injecting shell c...

This vulnerability allows unauthenticated attackers to execute arbitrary code on SOUND4 IMPACT/FIRST/PULSE/Eco systems by exploiting a path traversal ...

SOUND4 IMPACT/FIRST/PULSE/Eco devices versions 2.x and below contain hardcoded credentials in server binaries that cannot be changed through normal op...

This SQL injection vulnerability in SOUND4 IMPACT/FIRST/PULSE/Eco systems allows attackers to bypass authentication and potentially access sensitive d...

CVE-2022-50691 is a critical remote command execution vulnerability in MiniDVBLinux 5.4 that allows unauthenticated attackers to execute arbitrary com...

A heap-based memory corruption vulnerability in matio library versions up to 1.5.28 allows attackers to cause out-of-bounds reads and invalid memory f...

This vulnerability allows unauthenticated attackers to execute arbitrary commands remotely on affected JD Cloud NAS routers. Attackers can gain full c...

This vulnerability allows attackers to bypass authentication in RustFS by using a hardcoded static token that is publicly exposed in the source code. ...