🔥 Trending CVEs - Last 30 Days

CVE-2026-28501 is an unauthenticated SQL injection vulnerability in WWBN AVideo that allows attackers to execute arbitrary SQL commands without authen...

This is a critical remote code execution vulnerability in Microsoft Devices Pricing Program that allows attackers to execute arbitrary code on affecte...

This vulnerability allows attackers to bypass allowlist restrictions in Nextcloud Talk by changing their display name to match an allowlisted user ID....

OpenClaw versions before 2026.2.2 have a command injection vulnerability where attackers can bypass allowlist restrictions by using Windows cmd.exe me...

Nginx UI versions before 2.3.3 expose an unauthenticated API endpoint that discloses encryption keys in response headers, allowing attackers to downlo...

The Database for Contact Form 7, WPforms, Elementor forms WordPress plugin is vulnerable to PHP Object Injection via deserialization of untrusted inpu...

A stack buffer overflow vulnerability in D-Link DIR-513 routers allows remote attackers to execute arbitrary code via the curTime parameter in the gof...

OpenSTAManager versions 2.9.8 and earlier contain an authentication bypass and privilege escalation vulnerability that allows attackers to arbitrarily...

This CVE describes a remote command injection vulnerability in D-Link DIR-868L routers via the SSDP service. Attackers can execute arbitrary operating...

An authentication bypass vulnerability in Weintek cMT-3072XH2 HMI devices allows unauthorized attackers to perform administrative actions using servic...

A heap-based buffer overflow vulnerability in libbiosig's Intan CLP parsing allows arbitrary code execution when processing malicious files. This affe...

OpenMQ's management service ships with default admin credentials (admin/admin) that are never forced to change, allowing remote attackers who can reac...

This vulnerability allows unauthenticated attackers to create administrator accounts on WordPress sites using the User Registration & Membership plugi...

The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress has an authentication bypass vulnerability that allows unauthenticat...

This vulnerability allows remote code execution in Chamilo LMS by exploiting unfiltered parameter evaluation in SOAP requests. Attackers can execute a...

SimStudio versions below 0.5.74 have MongoDB tool endpoints that accept arbitrary connection parameters without authentication or host restrictions. T...

U-Office Force software has an insecure deserialization vulnerability that allows unauthenticated attackers to remotely execute arbitrary code on affe...

CVE-2026-2999 is a critical remote code execution vulnerability in IDExpert Windows Logon Agent that allows unauthenticated attackers to force the sys...

CVE-2026-27975 is an unauthenticated remote code execution vulnerability in Ajenti server admin panel. Attackers can execute arbitrary code on servers...

This vulnerability in Langflow's CSV Agent node allows attackers to execute arbitrary Python and OS commands on the server via prompt injection, leadi...

This CVE describes a use-after-free vulnerability in FreeRDP's clipboard handling for X11 clients. When FreeRDP automatically reconnects, one thread f...

This is a use-after-free vulnerability in FreeRDP's X11 client implementation where the RDPGFX DVC thread can access a freed window pointer while the ...

This is a use-after-free vulnerability in FreeRDP's X11 client where a cached XImage continues to reference freed memory. Attackers could potentially ...

An unauthenticated remote code execution vulnerability in Juniper PTX Series routers allows attackers to execute arbitrary code as root by exploiting ...

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Manager allows unauthenticated remote attackers to gain netadmin privileges...

This vulnerability allows SQL injection through TLS-SRP handshake parameters, enabling attackers to inject known credentials into the database. Succes...

This critical vulnerability allows attackers to bypass authentication mechanisms in ePati Antikor Next Generation Firewall (NGFW), potentially gaining...

A path traversal vulnerability in Lanscope Endpoint Manager (On-Premises) Sub-Manager Server allows attackers to access arbitrary files outside intend...

FreeScout's authentication system uses a predictable, static token that never expires. If an attacker obtains the Laravel APP_KEY (commonly exposed), ...

A critical path traversal and extension bypass vulnerability in Flask-Reuploaded versions before 1.5.0 allows remote attackers to write arbitrary file...

The SPIP tickets plugin contains an unauthenticated remote code execution vulnerability in forum preview handling. Attackers can inject malicious cont...

CVE-2026-21410 is a SQL injection vulnerability in SAT MasterSCADA BUK-TS web interface that allows attackers to execute arbitrary SQL commands. Succe...

Tattile Smart+, Vega, and Basic device families ship with default administrative credentials that cannot be changed during initial setup. Attackers wh...

CVE-2026-27590 is a path confusion vulnerability in Caddy server's FastCGI handling that occurs when processing Unicode characters in request paths. A...

Binardat 10G08-0800GSM network switches contain hard-coded administrative credentials that cannot be changed, allowing attackers with knowledge of the...

CVE-2025-69985 is an authentication bypass vulnerability in FUXA SCADA/HMI software that allows remote unauthenticated attackers to execute arbitrary ...

A JIT miscompilation vulnerability in Firefox's JavaScript: WebAssembly component could allow arbitrary code execution when processing malicious web c...

A spoofing vulnerability in the WebAuthn component of Firefox for Android allows attackers to potentially impersonate legitimate websites during authe...

A use-after-free vulnerability in Firefox's JavaScript engine allows attackers to execute arbitrary code by tricking users into visiting malicious web...

This vulnerability involves incorrect boundary conditions in the GMP (Gecko Media Plugins) audio/video component of Firefox, which could allow memory ...

This CVE describes a same-origin policy bypass vulnerability in Firefox's JAR (Java Archive) networking component. It allows malicious websites to acc...

Memory safety vulnerabilities in Mozilla Firefox and Thunderbird could allow memory corruption attacks. With sufficient effort, attackers could exploi...

This CVE describes a privilege escalation vulnerability in Firefox's Netmonitor component. Attackers could exploit this to gain elevated privileges wi...

This CVE describes a privilege escalation vulnerability in Firefox's Netmonitor component that allows attackers to gain elevated privileges on affecte...

This CVE describes a DOM security component mitigation bypass vulnerability in Firefox. Attackers could potentially bypass security controls to execut...

This CVE describes a use-after-free vulnerability in Firefox's DOM Bindings (WebIDL) component that could allow an attacker to execute arbitrary code....

A use-after-free vulnerability in Firefox's audio/video playback component allows attackers to execute arbitrary code or cause crashes. This affects F...

An integer overflow vulnerability in Firefox's Audio/Video component could allow attackers to execute arbitrary code or cause denial of service. This ...

A use-after-free vulnerability in Firefox's JavaScript garbage collector component allows attackers to execute arbitrary code by manipulating memory a...

An integer overflow vulnerability in Firefox's JavaScript Standard Library component could allow attackers to execute arbitrary code or cause denial o...