🔥 Trending CVEs - Last 90 Days

This critical vulnerability allows unauthenticated attackers to enable Telnet service and gain root access with blank password on Totolink X5000R rout...

This path traversal vulnerability in Budibase allows authenticated users with builder privileges to read arbitrary server files, including sensitive e...

This CVE describes an authentication bypass vulnerability in Huawei device authentication modules that allows attackers to bypass authentication mecha...

This critical vulnerability in Pebble Prism Ultra v2.9.2 allows attackers within Bluetooth range to execute arbitrary commands, intercept data, and hi...

This vulnerability in asbplayer v1.13.0 allows attackers to upload malicious subtitle files that can execute arbitrary code on the system. Users of as...

OpenS100 (S-100 viewer reference implementation) contains a remote code execution vulnerability where untrusted portrayal catalogues can execute arbit...

This vulnerability allows authenticated low-privileged users in SAP NetWeaver ABAP systems to execute unauthorized background Remote Function Calls, b...

A URL encoding vulnerability in Yokogawa's FAST/TOOLS industrial control system allows attackers to manipulate web pages or execute malicious scripts....

This vulnerability allows attackers to bypass security controls in Langroid's TableChatAgent and execute arbitrary code through the pandas_eval tool. ...

A signature verification vulnerability in Rapid7 InsightVM's Assertion Consumer Service allows attackers to bypass authentication and gain unauthorize...

This CVE describes a Local File Inclusion vulnerability in the lollms-webui application that allows attackers to execute arbitrary Python code remotel...

CVE-2026-25130 is a critical argument injection vulnerability in the Cybersecurity AI (CAI) framework that allows remote code execution. Attackers can...

CVE-2026-22793 is an unsafe option parsing vulnerability in the ECharts Markdown plugin of the 5ire AI assistant that allows arbitrary JavaScript exec...

This vulnerability allows attackers to inject malicious HTML that executes arbitrary JavaScript in the 5ire desktop AI assistant renderer context. Thi...

This vulnerability allows attackers to read arbitrary files on MedDream PACS Premium servers by sending specially crafted HTTP requests to the encapsu...

SiYuan personal knowledge management systems before version 3.5.4 have a stored XSS vulnerability in the dynamic icon feature. Attackers can inject ma...

This vulnerability in the Dive MCP Host Desktop Application allows attackers to install malicious MCP server configurations via crafted deeplinks with...

CVE-2025-12543 is a critical vulnerability in Undertow HTTP server core where improper Host header validation allows attackers to poison caches, perfo...

This vulnerability allows remote command execution as root on Coolify instances when users create applications from malicious repositories using the d...

A Cross-Site Request Forgery (CSRF) vulnerability in the ConoHa by GMO WING WordPress Migrator plugin allows attackers to trick authenticated administ...

This CVE describes a remote code execution vulnerability in the 5ire AI assistant desktop application. The vulnerability allows attackers to execute a...

This CVE describes an iframe injection vulnerability in MyNET v.26.06 and earlier that allows remote attackers to execute arbitrary code via the src p...

This critical vulnerability in Frappe Framework's Attachments module allows attackers to upload malicious XML files that can lead to remote code execu...

ChurchCRM versions before 6.5.3 contain a SQL injection vulnerability in the Event Attendee Editor that allows authenticated users to execute arbitrar...

A Cross-Site Scripting (XSS) vulnerability in DriveLock Operations Center versions 25.1.2 through 25.1.4 allows attackers to inject malicious scripts ...

DeepChat versions before 0.5.3 contain a critical vulnerability where unsafe Mermaid diagram rendering allows arbitrary JavaScript execution. This XSS...

CVE-2025-67511 is a command injection vulnerability in Cybersecurity AI (CAI) framework versions 0.5.9 and below. Attackers can inject malicious comma...

This vulnerability allows unauthenticated attackers to impersonate legitimate charging stations by connecting to WebSocket endpoints without proper au...

This CVE describes a critical authentication bypass vulnerability in WebSocket endpoints used for OCPP (Open Charge Point Protocol) communication. Att...

This vulnerability allows unauthenticated attackers to impersonate legitimate charging stations by connecting to WebSocket endpoints without proper au...

This vulnerability in Zephyr RTOS's DNS resolver allows an out-of-bounds write when processing malicious DNS responses. Attackers can exploit this to ...

CVE-2026-26980 is an SQL injection vulnerability in Ghost CMS that allows unauthenticated attackers to read arbitrary data from the database. This aff...

This is a reflected cross-site scripting (XSS) vulnerability in Turboard software that allows attackers to inject malicious scripts into web pages. Us...

Fiber web framework versions before 2.52.11 on Go versions prior to 1.24 may generate predictable UUIDs when crypto/rand fails to obtain secure random...

Keylime versions 7.12.0 and later have a critical authentication bypass vulnerability where the registrar fails to enforce client-side TLS certificate...

The Aptsys POS Platform Web Services module exposes internal API testing tools to unauthenticated users, allowing attackers to discover and execute cr...

This SQL injection vulnerability in the Aptsys gemscms POS Platform allows attackers to execute arbitrary SQL commands by manipulating the id paramete...

This vulnerability allows attackers to perform brute force attacks against user accounts and exploit weak password recovery mechanisms in Birebirsoft ...

This vulnerability allows unauthenticated attackers to establish WebSocket connections to affected systems, bypassing authentication entirely. Attacke...

A missing authorization vulnerability in the Order Listener for WooCommerce plugin allows attackers to bypass access controls and perform unauthorized...

This vulnerability allows unauthenticated attackers to execute unpublished edit-mode actions in publicly accessible Appsmith applications. Attackers c...

An authentication bypass vulnerability in Mitel MiVoice MX-ONE Provisioning Manager allows unauthenticated attackers to gain unauthorized access to us...

This vulnerability allows authentication bypass in ZimaOS by exploiting improper password validation for system service accounts. Attackers can gain a...

This SQL injection vulnerability in the tPlayer WordPress plugin allows attackers to execute arbitrary SQL commands on the database. It affects all Wo...

CVE-2025-67510 is a critical SQL injection vulnerability in the Neuron AI framework's MySQLWriteTool that allows arbitrary SQL execution. This enables...

This vulnerability allows unauthenticated attackers to access camera configuration information, including account credentials, by exploiting a specifi...

This vulnerability allows cross-site scripting (XSS) attacks through ZITADEL's SAML login endpoint, potentially enabling attackers to steal authentica...

An unauthenticated reflected XSS vulnerability in SiYuan's dynamic icon API allows attackers to inject malicious JavaScript via crafted SVG images. Wh...

Ghostfolio versions before 2.245.0 contain a server-side request forgery (SSRF) vulnerability in the manual asset import feature. Attackers can exploi...

A stored cross-site scripting (XSS) vulnerability in AliasVault Web Client allows attackers to inject malicious JavaScript into emails sent to any Ali...