🔥 Trending CVEs - Last 90 Days

This CVE describes a Missing Authorization vulnerability in the Payment Gateway bKash for WC WordPress plugin that allows attackers to bypass access c...

A private key recovery vulnerability exists in sm-crypto's SM2 decryption implementation, allowing attackers to fully extract private keys through sev...

A Node.js permissions model vulnerability allows attackers to bypass file system access restrictions using crafted relative symlink paths. This enable...

This is a reflected cross-site scripting (XSS) vulnerability in WeGIA web management software that allows unauthenticated attackers to inject maliciou...

SvelteKit versions 2.19.0 through 2.49.4 are vulnerable to server-side request forgery (SSRF) and denial of service (DoS) attacks. The vulnerability a...

This vulnerability allows remote attackers to gain full system access by uploading unvalidated container images to affected systems. It compromises bo...

A heap out-of-bounds read vulnerability in FreeRDP's smartcard SetAttrib path allows attackers to read memory beyond allocated buffers. This affects F...

This CVE describes a global buffer overflow vulnerability in FreeRDP's Base64 decoding implementation. On Arm/AArch64 architectures, signedness issues...

This vulnerability in FreeRDP allows remote attackers to cause an out-of-bounds read by sending specially crafted MSUSB_INTERFACE_DESCRIPTOR values. T...

Sysax Multi Server 6.95 contains a denial of service vulnerability where attackers can crash the application by sending 800 bytes of repeated characte...

This vulnerability allows non-secure applications to exfiltrate intermediate register values from secure workloads, potentially exposing sensitive dat...

This authentication bypass vulnerability in ManageEngine ADSelfService Plus allows attackers to circumvent login protections and gain unauthorized acc...

The E-xact Hosted Payment WordPress plugin through version 2.0 contains an arbitrary file deletion vulnerability due to insufficient file path validat...

This critical vulnerability in LibreChat allows authenticated users to execute arbitrary shell commands as root within the container via a single API ...

The Frontend Admin by DynamiApps WordPress plugin has an authorization bypass vulnerability that allows unauthenticated attackers to delete any conten...

This vulnerability in Print Shop Pro WebDesk allows remote attackers to purchase items with negative quantities, creating financial discrepancies by m...

This vulnerability allows authenticated remote attackers to inject arbitrary SMTP commands via crafted input to the /osrest/api/organization/sendmail ...

This SSRF vulnerability in the nK Themes Helper WordPress plugin allows attackers to make the vulnerable server send unauthorized requests to internal...

This critical authentication bypass vulnerability in Kanboard allows attackers to impersonate any user, including administrators, by sending spoofed H...

LibreChat version 0.8.1-rc2 has a server-side request forgery (SSRF) vulnerability in its Actions feature that allows attackers to make unauthorized r...

This vulnerability allows attackers to perform Man-in-the-Middle attacks on all REST API communications between Uniffle CLI/client and Coordinator ser...

Unauthenticated attackers can trigger database backup operations in vulnerable Craft CMS versions, potentially causing resource exhaustion or exposing...

CVE-2025-67397 is a command injection vulnerability in Passy v1.6.3 that allows authenticated remote attackers to execute arbitrary commands on affect...

A critical vulnerability in multiple Samsung Exynos processors allows attackers to execute arbitrary code or cause denial of service via malformed NAS...

CVE-2026-21445 is a critical authentication bypass vulnerability in Langflow that allows unauthenticated attackers to access sensitive user conversati...

Signal K Server versions before 2.19.0 allow unauthenticated attackers to steal JWT authentication tokens through two chained vulnerabilities: unauthe...

This vulnerability allows any authenticated admin user in Titra time tracking software to execute arbitrary code on the server by manipulating timeEnt...

CVE-2025-56332 is an authentication bypass vulnerability in fosrl/pangolin v1.6.2 and earlier that allows attackers to access protected resources due ...

This vulnerability in Delta Electronics DVP-12SE11T PLC modules allows attackers to write data beyond allocated memory boundaries, potentially leading...

CVE-2025-15102 is a password protection bypass vulnerability in Delta Electronics DVP-12SE11T PLC modules. Attackers can bypass authentication mechani...

This vulnerability in Whale browser allows attackers to escape iframe sandbox restrictions in sidebar environments, potentially executing malicious co...

CVE-2024-25181 is a critical vulnerability in givanz VvvebJs 1.7.2 that allows attackers to perform Server-Side Request Forgery (SSRF) and read arbitr...

This vulnerability allows attackers to perform directory traversal through the certsupload.cgi endpoint in Riello UPS NetMan 208 Application, enabling...

This Server-Side Request Forgery (SSRF) vulnerability in the Link Library WordPress plugin allows attackers to make unauthorized requests from the vul...

This CVE describes a missing authorization vulnerability in the Sunshine Photo Cart WordPress plugin that allows attackers to bypass access controls. ...

This SSRF vulnerability in the bdthemes Prime Slider WordPress plugin allows attackers to make unauthorized requests from the vulnerable server to int...

This CVE describes a missing authorization vulnerability in the Brave Popup Builder WordPress plugin that allows attackers to bypass access controls. ...

This CVE describes a missing authorization vulnerability in the Gutenverse Form WordPress plugin that allows attackers to bypass access controls. It a...

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in the 6Storage Rentals WordPress plugin. Attackers can exploit this to make the...

This vulnerability allows attackers to bypass password recovery rate limiting in Restajet's Online Food Delivery System, enabling brute-force attacks ...

This vulnerability in Weblate allows remote attackers to overwrite Git configuration settings, potentially altering Git behavior and enabling further ...

A buffer overflow vulnerability in scrcpy allows a compromised Android device to send crafted messages that cause memory corruption on the host system...

A CORS misconfiguration in Dify v1.9.1 allows arbitrary external domains to make authenticated requests to the /console/api/setup endpoint. This enabl...

This CVE describes a CORS misconfiguration in Dify v1.9.1 that allows any external domain to make authenticated cross-origin requests to the /console/...

This vulnerability allows remote attackers to execute arbitrary code on WordPress sites running the Hotel Booking Lite plugin. Attackers can inject ma...

Zerobyte backup automation tool versions before 0.18.5 and 0.19.0 have an authentication bypass vulnerability where certain API endpoints don't proper...

This vulnerability in FreeRDP allows attackers to cause heap-based out-of-bounds memory reads by controlling hostnames in certificate cache filenames....

ChurchCRM versions before 6.5.3 have a critical vulnerability in the Database Restore functionality that allows attackers to upload malicious files wi...

AVideo versions before 20.1 with the ImageGallery plugin enabled are vulnerable to unauthenticated file upload and deletion. Attackers can upload mali...

Canary Mail versions 5.1.40 and below fail to apply Mark-of-the-Web (MOTW) tags to downloaded attachments, allowing attackers to bypass Windows and th...