🔥 Trending CVEs - Last 30 Days

This vulnerability in the BackWPup WordPress plugin allows authenticated attackers with subscriber-level access or higher to modify WordPress site opt...

This vulnerability allows unauthenticated attackers to inject malicious scripts via the 'wpcr3_fname' parameter in the WP Customer Reviews WordPress p...

This vulnerability allows authenticated attackers with Shop Manager or higher WordPress roles to install arbitrary plugins via the CTX Feed plugin. Th...

This CVE describes a remote command injection vulnerability in Advantech WISE-6610 devices. Attackers can execute arbitrary operating system commands ...

MajorDoMo contains an unauthenticated stored XSS vulnerability that allows attackers to inject malicious JavaScript into property values. When adminis...

This vulnerability allows authenticated attackers with Shop Manager or higher WordPress roles to execute arbitrary PHP code on the server. The flaw ex...

The Rent Fetch WordPress plugin contains a stored cross-site scripting (XSS) vulnerability in the 'keyword' parameter that allows unauthenticated atta...

This CVE-2026-2615 is a command injection vulnerability in Wavlink WL-NU516U1 routers that allows remote attackers to execute arbitrary commands on af...

The RSS Aggregator WordPress plugin is vulnerable to reflected cross-site scripting (XSS) via the 'template' parameter. Unauthenticated attackers can ...

A remote stack-based buffer overflow vulnerability exists in Wavlink WL-NU516U1 routers through firmware version 130/260. Attackers can exploit this b...

This stored XSS vulnerability in Smoothwall Express allows attackers to inject malicious JavaScript through modem.cgi POST parameters. When users acce...

This stored and reflected XSS vulnerability in Smoothwall Express allows attackers to inject malicious JavaScript via the urlfilter.cgi endpoint. When...

This cross-site scripting (XSS) vulnerability in SmarterMail allows attackers to inject malicious scripts via MAPI requests. It affects organizations ...

The Super Page Cache WordPress plugin has a stored cross-site scripting vulnerability in its Activity Log feature. Unauthenticated attackers can injec...

The User Language Switch WordPress plugin contains a Server-Side Request Forgery (SSRF) vulnerability that allows authenticated administrators to make...

This vulnerability allows unauthenticated attackers to execute arbitrary JavaScript in victims' browsers via the 'sscf_name' parameter in the Super Si...

The PixelYourSite WordPress plugin is vulnerable to stored cross-site scripting (XSS) via insufficient input sanitization in the 'pysTrafficSource' an...

The Secure Copy Content Protection and Content Locking WordPress plugin is vulnerable to stored cross-site scripting (XSS) via the 'X-Forwarded-For' H...

This stored XSS vulnerability in the Customer Reviews for WooCommerce WordPress plugin allows attackers to inject malicious scripts into web pages via...

The iONE360 configurator WordPress plugin has a stored XSS vulnerability in its contact form parameters that allows unauthenticated attackers to injec...

The Lucky Wheel Giveaway WordPress plugin contains a remote code execution vulnerability in all versions up to 1.0.22. Authenticated attackers with Ad...

The Name Directory WordPress plugin has a stored XSS vulnerability that allows unauthenticated attackers to inject malicious scripts via public submis...

This CVE describes a remote command injection vulnerability in D-Link DCS-931L IP cameras. Attackers can execute arbitrary operating system commands b...

This vulnerability allows authenticated attackers with Shop Manager or higher privileges in WordPress to modify arbitrary site options due to missing ...

CVE-2026-25951 is a path traversal vulnerability in FUXA web-based SCADA/HMI software that allows authenticated administrators to bypass directory pro...

This is a Remote Code Execution vulnerability in Craft CMS that allows authenticated administrators to execute arbitrary system commands on the server...

This CVE describes a remote command injection vulnerability in D-Link DIR-823X routers. Attackers can execute arbitrary operating system commands by m...

A stack-based buffer overflow vulnerability exists in Tenda AC9 routers running firmware version 15.03.06.42_multi. Remote attackers can exploit this ...

This CVE describes a stack-based buffer overflow vulnerability in Tenda AC9 routers' formGetRebootTimer function. Attackers can exploit this remotely ...

This vulnerability allows remote attackers to execute arbitrary operating system commands on UTT 进取 521G devices through command injection in the ...

A privilege escalation vulnerability in SiYuan Note's publish service allows authenticated users with read-only publish accounts (RoleReader) to modif...

A stack buffer overflow vulnerability in ImageMagick's morphology kernel parsing functions allows attackers to corrupt the stack by providing speciall...

This vulnerability in pyLoad allows attackers to bypass directory traversal protections in the edit_package() function using recursive path sequences ...

Facturation System 1.0 contains an SQL injection vulnerability in the editar_producto.php endpoint that allows authenticated attackers to execute arbi...

Maitra 1.7.2 contains an SQL injection vulnerability in the mailid parameter of outmail and inmail modules, allowing authenticated attackers to execut...

Galaxy Forces MMORPG 0.5.8 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries through the 't...

This vulnerability involves default credentials for a local privileged user in Acronis Cyber Protect virtual appliances. Attackers can gain administra...

OpenClaw versions before 2026.2.12 have a path traversal vulnerability where authenticated attackers can use unsanitized sessionId or sessionFile para...

OpenClaw versions before 2026.2.14 have an OAuth state validation bypass in the manual Chutes login flow that allows attackers to bypass CSRF protecti...

OpenClaw versions before 2026.2.12 have an arbitrary file write vulnerability where authenticated gateway clients can manipulate the sessionFile path ...

This vulnerability in Frappe framework allows authenticated users to share documents with permissions they don't possess, potentially granting unautho...

This CVE describes an improper verification vulnerability in Huawei email applications that could allow attackers to access sensitive information. The...

CVE-2019-25503 is an unauthenticated SQL injection vulnerability in PHPads 2.0 that allows attackers to execute arbitrary SQL queries through the bann...

Tradebox 5.4 contains an SQL injection vulnerability in the monthly_deposit endpoint's symbol parameter that allows authenticated attackers to execute...

This XML External Entity (XXE) vulnerability in IBM InfoSphere Information Server allows attackers to read sensitive files from the server by exploiti...

This vulnerability allows authenticated local users in ZimaOS to craft requests targeting internal IP addresses and services, potentially accessing HT...

This cryptographic vulnerability in Qualcomm chipsets allows the High-Level Operating System (HLOS) to access the boot loader's certificate chain thro...

Zed code editor versions before 0.225.9 have a symlink escape vulnerability that allows reading and writing files outside the project directory when s...

A heap buffer overflow vulnerability in iccDEV allows reading past allocated memory boundaries when parsing ICC profile XML text description tags. Thi...

A local privilege escalation vulnerability in udisks allows unprivileged users to trigger the root-owned daemon to overwrite LUKS encryption headers. ...