🔥 Trending CVEs - Last 90 Days

This is a stored cross-site scripting (XSS) vulnerability in Bugsink error tracking software. Unauthenticated attackers who can submit error events to...

This vulnerability in Statmatic CMS allows attackers to hijack password reset tokens and take over user accounts. Attackers need a valid email address...

CVE-2026-25896 is a vulnerability in fast-xml-parser where a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement...

This SQL injection vulnerability in Download Manager Addons for Elementor allows attackers to execute arbitrary SQL commands against the WordPress dat...

This SQL injection vulnerability in the Wolmart Core WordPress plugin allows attackers to execute arbitrary SQL commands on affected databases. It aff...

This SQL injection vulnerability in the TeconceTheme Emerce Core WordPress plugin allows attackers to execute arbitrary SQL commands on the database. ...

This SQL injection vulnerability in the Saasplate Core WordPress plugin allows attackers to execute arbitrary SQL commands against the database. It af...

This SQL injection vulnerability in the Crete Core WordPress plugin allows attackers to execute arbitrary SQL commands against the database. It affect...

This CVE describes a blind SQL injection vulnerability in the TeconceTheme Medinik Core WordPress plugin. Attackers can inject malicious SQL queries t...

This vulnerability in Kata Containers allows a container user to modify the Guest micro VM's file system, leading to arbitrary code execution as root ...

This vulnerability allows an attacker with code execution on the infotainment system's main processor to execute arbitrary code on the RH850 CAN commu...

This vulnerability allows local attackers to map arbitrary memory addresses due to missing bounds checking in the vpu_mmap function. This can lead to ...

This prototype pollution vulnerability in Qwik's formToObj() function allows unauthenticated attackers to modify Object.prototype by sending specially...

FUXA v1.2.7 has an insecure default configuration where authentication is disabled by default due to a commented-out 'secureEnabled' flag. This allows...

This CVE describes a privilege escalation vulnerability in MediaTek wlan STA drivers where missing bounds checks allow local attackers to gain elevate...

This vulnerability allows attackers to inject malicious HTML/JavaScript payloads into ChatterMate chatbot inputs, which are then executed in users' br...

This vulnerability in M365 Copilot allows unauthorized attackers to access sensitive information over the network due to improper input validation. Al...

This critical vulnerability in Azure Entra ID (formerly Azure Active Directory) allows attackers to elevate privileges within cloud environments. Atta...

This cross-site scripting (XSS) vulnerability in Microsoft Account allows attackers to inject malicious scripts into web pages viewed by other users. ...

This SQL injection vulnerability in the Paid Downloads WordPress plugin allows attackers to execute arbitrary SQL commands on the database. It affects...

This SQL injection vulnerability in the CleverReach® WP WordPress plugin allows attackers to execute arbitrary SQL commands on the database. It affec...

This SQL injection vulnerability in the MailerLite WooCommerce integration plugin allows attackers to execute arbitrary SQL commands on the WordPress ...

This cross-site scripting vulnerability in Movary allows attackers to inject malicious scripts via the 'categoryUpdated' parameter. Users running Mova...

This cross-site scripting (XSS) vulnerability in Movary allows attackers to inject malicious scripts via the 'categoryDeleted' parameter. Users of Mov...

CVE-2026-23841 is a cross-site scripting (XSS) vulnerability in Movary web application versions prior to 0.70.0. Attackers can inject malicious script...

This vulnerability in OWASP Core Rule Set (CRS) allows attackers to bypass multipart request filtering in web application firewalls. When processing m...

CVE-2026-21855 is a reflected Cross-Site Scripting (XSS) vulnerability in Tarkov Data Manager's toast notification system that allows attackers to exe...

This SQL injection vulnerability in the WPCHURCH WordPress plugin allows attackers to execute arbitrary SQL commands on the database. It affects all v...

CVE-2026-21430 is a CSRF vulnerability in Emlog's article creation functionality that allows attackers to force users to post malicious articles. When...

Ksenia Security Lares 4.0 Home Automation version 1.6 contains an unprotected endpoint that allows authenticated attackers to upload MPFS File System ...

A serialization injection vulnerability in LangChain's dumps() and dumpd() functions allows attackers to inject malicious data that gets treated as le...

This SQL injection vulnerability in the Advance Seat Reservation Management for WooCommerce plugin allows attackers to execute arbitrary SQL commands ...

Adobe Experience Manager versions 6.5.23 and earlier contain a DOM-based Cross-Site Scripting vulnerability that allows attackers to execute arbitrary...

Adobe Experience Manager versions 6.5.23 and earlier contain a DOM-based Cross-Site Scripting vulnerability that allows attackers to execute arbitrary...

Adobe Experience Manager versions 6.5.23 and earlier contain a DOM-based Cross-Site Scripting vulnerability that allows attackers to execute arbitrary...

This vulnerability allows attackers to execute arbitrary operating system commands with root privileges within the container running bleon-ethical/api...

This vulnerability allows unauthorized remote attackers to upload and apply arbitrary updates via the wwwupdate.cgi endpoint due to insufficient autho...

This vulnerability in Soft Serve allows authenticated SSH users to perform Server-Side Request Forgery (SSRF) attacks by exploiting the repo import fe...

This broken access control vulnerability in File Browser allows authenticated users with only Create permission to delete files and directories they s...

CVE-2026-24457 is a path traversal vulnerability in OpenMQ's configuration parsing that allows remote attackers to read arbitrary files from the MQ Br...

A typo in Froxlor's input validation code (== instead of =) disables email format checking for admin email settings. This allows authenticated admins ...

CVE-2026-27812 is a password reset poisoning vulnerability in Sub2API versions before 0.1.85 that allows attackers to manipulate password reset links ...

This vulnerability in Vikunja task management software allows attackers to compromise accounts through weak password policies and maintain persistent ...

This vulnerability allows attackers to extract administrative credentials from Gardyn IoT Hub through API responses, mobile app reverse engineering, o...

The basic-ftp Node.js library contains a path traversal vulnerability in the downloadToDir() method. A malicious FTP server can send filenames contain...

This vulnerability in Octopus Deploy allows attackers to delete files or file contents on the host system through an unauthenticated API endpoint lack...

Caddy servers with host lists exceeding 100 entries have a case-sensitivity vulnerability in the HTTP host matcher. Attackers can bypass host-based ro...

CVE-2026-27586 is a critical authentication bypass vulnerability in Caddy server where mTLS client certificate authentication silently fails open when...

This vulnerability involves uninitialized memory in Firefox's Graphics: Text component, which could allow attackers to read sensitive data from memory...

A type confusion vulnerability in SolarWinds Serv-U allows attackers with administrative privileges to execute arbitrary native code with elevated pri...