🔥 Trending CVEs - Last 90 Days

Smolder versions through 1.51 for Perl use the non-cryptographically secure rand() function for cryptographic operations, making generated values pred...

This vulnerability allows a remote attacker to read memory outside the intended buffer in Chrome's media component by tricking a user into visiting a ...

This vulnerability in Ayms node-To master branch disables TLS/SSL certificate validation, allowing man-in-the-middle attackers to intercept and manipu...

The CVE-2026-23552 vulnerability allows attackers to bypass tenant isolation in Apache Camel Keycloak component by using JWT tokens from unauthorized ...

This CVE describes an integer overflow vulnerability in Crypt::NaCl::Sodium Perl module versions through 2.001 on 32-bit systems. The flaw occurs when...

This critical vulnerability in Sentry's SAML SSO implementation allows attackers to take over any user account by exploiting misconfigured multi-organ...

This SQL injection vulnerability in Fiverr Clone Script 1.2.2 allows unauthenticated attackers to inject malicious SQL code through the page parameter...

This SQL injection vulnerability in LibreNMS allows attackers to execute arbitrary SQL commands through the ajax_table.php endpoint when searching IPv...

SoftVision webPDF versions before 10.0.2 contain a Server-Side Request Forgery (SSRF) vulnerability in the PDF converter function. Attackers can uploa...

InvoicePlane 1.7.0 contains a critical Remote Code Execution vulnerability that allows authenticated administrators to execute arbitrary system comman...

This vulnerability allows remote attackers to perform administrative operations without authentication in ProjectWorlds Online Time Table Generator 1....

This vulnerability in authentik allows authenticated users with specific delegated permissions to execute arbitrary code on the authentik server conta...

An authorization bypass vulnerability in FUXA web-based SCADA/HMI software allows unauthenticated remote attackers to create and modify arbitrary sche...

PlaciPy placement management system version 1.0.0 allows cross-tenant data access by deriving tenant identifiers from user-provided email domains with...

PlaciPy placement management system version 1.0.0 has an authorization vulnerability where authenticated users can access other users' student submiss...

PlaciPy placement management system version 1.0.0 has a missing object-level authorization vulnerability that allows authenticated users to access ass...

This vulnerability allows instructors to achieve arbitrary file write on the server by uploading specially crafted zip files. Attackers could write ma...

This authentication bypass vulnerability in JetBrains Hub allows attackers to perform administrative actions without proper credentials. All organizat...

CVE-2026-2234 is a missing authentication vulnerability in HGiga's C&Cm@il software that allows unauthenticated remote attackers to read and modify an...

This vulnerability in Antrea's network policy priority assignment system causes incorrect traffic enforcement due to a uint16 arithmetic overflow when...

CVE-2026-25643 is a critical Remote Command Execution vulnerability in Frigate NVR software that allows attackers to execute arbitrary system commands...

CVE-2026-25722 is a directory traversal vulnerability in Claude Code that allows attackers to bypass write protection in sensitive directories like .c...

CVE-2019-25298 is an SQL injection vulnerability in html5_snmp 1.11 that allows attackers to manipulate database queries through Router_ID and Router_...

This vulnerability allows authenticated users of SiYuan personal knowledge management system to write files to arbitrary locations on the filesystem d...

Alist file list program versions before 3.57.0 disable TLS certificate verification by default for all outgoing storage communications, making all dat...

CVE-2026-25139 is an out-of-bounds read vulnerability in RIOT OS's 6LoWPAN stack that allows unauthenticated attackers to read adjacent memory or cras...

MOMA Seismic Station versions v2.4.2520 and earlier expose their web management interface without requiring authentication. This allows unauthenticate...

This vulnerability in PEAR (PHP Extension and Application Repository) allows non-lead maintainers to create, update, or delete roadmaps due to a logic...

The NixOS Odoo package exposes the database manager without authentication, allowing unauthorized actors to delete or download the entire database and...

This vulnerability in h2o-3 allows remote attackers to write arbitrary data to any file on the server, potentially leading to remote code execution an...

This vulnerability in vCluster Platform allows users with scoped access keys to bypass scope restrictions and access resources outside their intended ...

A session fixation vulnerability in 66biolinks v62.0.0 allows attackers to hijack authenticated user sessions by setting or predicting session IDs bef...

Explorance Blue versions before 8.14.9 contain an authenticated unrestricted file upload vulnerability in the administrative interface. This allows at...

This vulnerability allows attackers to inject malicious scripts into DNN module titles, which execute in users' browsers when viewing affected pages. ...

Clatter versions before 2.2.0 have a protocol compliance vulnerability where post-quantum handshake patterns violate the PSK validity rule, allowing P...

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Squidex's webhook functionality that allows attackers to make the server send...

This is a type confusion vulnerability in the xray-monolith software that allows attackers to access memory with incompatible types, potentially leadi...

CVE-2025-68670 is an unauthenticated stack-based buffer overflow vulnerability in xrdp (open source RDP server) that allows remote attackers to execut...

This vulnerability allows attackers to access protected administrative areas of the EZCast Pro II web application using well-known default credentials...

This XXE vulnerability in AssertJ allows attackers to read local files, perform SSRF attacks, or cause denial of service when untrusted XML is process...

This vulnerability in RuoYi v4.8.2 allows unauthorized attackers to modify data they shouldn't have access to due to improper access control in the up...

This vulnerability in Free5gc NRF 1.4.0 allows attackers to bypass scope validation during access token generation by using a crafted targetNF value. ...

Gitea versions before 1.25.4 have an improper access control vulnerability where attachments uploaded to private repositories can be linked to release...

CVE-2026-20897 is an improper access control vulnerability in Gitea where users with write access to any repository can delete Git LFS locks belonging...

Gitea contains an authorization bypass vulnerability where users with project write access in one organization can modify projects belonging to other ...

This CVE describes an authorization bypass vulnerability in the WP Job Portal WordPress plugin where attackers can manipulate user-controlled keys to ...

This SSRF vulnerability in wbolt.com IMGspider WordPress plugin allows attackers to make the server send unauthorized requests to internal or external...

This vulnerability allows attackers to upload arbitrary files, including web shells, to WordPress sites using the Xpro Elementor Addons plugin. Attack...

This vulnerability allows attackers to execute arbitrary code on WordPress sites running the vulnerable Nelio AB Testing plugin. Attackers can inject ...

This SSRF vulnerability in the Pool Services WordPress theme allows attackers to make unauthorized requests from the vulnerable server to internal or ...