🔥 Trending CVEs - Last 90 Days

CVE-2025-15330 is an improper input validation vulnerability in Tanium Deploy that could allow attackers to execute arbitrary code or commands. This a...

An improper certificate validation vulnerability in TP-Link Tapo H100 v1 and Tapo P100 v1 allows attackers on the same network segment to intercept an...

Monstra CMS v3.0.4 contains an arbitrary file upload vulnerability in the Files Manager plugin that allows attackers to upload malicious files to web-...

This vulnerability allows authenticated administrators in jizhiCMS 1.6.7 to download arbitrary files from the server by exploiting the admin plugins u...

This CSRF vulnerability in Axigen Mail Server's WebAdmin interface allows attackers to craft malicious URLs that execute administrative actions when c...

This vulnerability allows a local attacker to replace service executable files or DLLs in the FREQSHIP-mini installation directory with malicious file...

Locutus versions 2.0.12 through 2.0.38 contain a prototype pollution vulnerability that allows attackers to modify JavaScript object prototypes via cr...

This vulnerability in Devtron allows any authenticated user, including low-privileged CI/CD developers, to retrieve the global API token signing key. ...

This CVE describes a remote code execution vulnerability in Group-Office where an authenticated attacker can execute arbitrary system commands on the ...

FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensit...

FacturaScripts contains a critical SQL injection vulnerability in its REST API that allows authenticated API users to execute arbitrary SQL queries th...

This path traversal vulnerability in Alist allows authenticated attackers to bypass directory-level authorization by injecting traversal sequences int...

OpenSTAManager versions 2.9.8 and earlier contain a SQL injection vulnerability in the ajax_complete.php endpoint. Authenticated attackers can execute...

OpenSTAManager versions 2.9.8 and earlier contain a SQL injection vulnerability in the Stampe Module that allows attackers to execute arbitrary SQL co...

This vulnerability in n8n's Merge node allows authenticated users with workflow creation/modification permissions to write arbitrary files to the serv...

This vulnerability in Cisco Meeting Management allows authenticated attackers with video operator privileges to upload malicious files through the web...

The SportsPress WordPress plugin has a Local File Inclusion vulnerability in all versions up to 2.7.26. Authenticated attackers with contributor-level...

This stored XSS vulnerability in Karel Electronics ViPort allows attackers to inject malicious scripts into web pages that are then executed when othe...

The WP FOFT Loader WordPress plugin has a vulnerability that allows authenticated attackers with Author-level access or higher to upload arbitrary fil...

This vulnerability in ingress-nginx allows attackers to inject malicious configuration via the auth-method annotation, leading to arbitrary code execu...

This CVE describes a configuration injection vulnerability in ingress-nginx where attackers can inject malicious nginx configuration through the `rule...

CVE-2026-24887 is a command injection vulnerability in Claude Code that allows bypassing confirmation prompts to execute arbitrary commands via the fi...

A heap buffer overflow vulnerability in libvpx video processing library in Google Chrome allows remote attackers to potentially execute arbitrary code...

A type confusion vulnerability in Chrome's V8 JavaScript engine allows attackers to corrupt heap memory via malicious web pages. This could lead to ar...

This CVE describes an arbitrary file upload vulnerability in FPDF's AddFont() function that allows attackers to upload malicious PHP files. Successful...

This vulnerability allows attackers to execute arbitrary code on WordPress sites running the vulnerable WpEvently plugin by exploiting insecure deseri...

The OS DataHub Maps WordPress plugin has an arbitrary file upload vulnerability that allows authenticated attackers with Author-level access or higher...

This vulnerability allows remote code execution in Group-Office by exploiting improper input validation in the MaintenanceController's zipLanguage act...

OpenClaw (formerly Clawdbot) versions prior to 2026.1.29 contain a command injection vulnerability in the Docker sandbox execution mechanism. Authenti...

OpenList Frontend versions before 4.1.10 contain a path traversal vulnerability in file operation handlers that allows authenticated attackers to bypa...

This vulnerability allows an unauthenticated remote attacker to hijack existing user sessions and gain full administrative access to affected devices....

This vulnerability allows local privilege escalation on macOS systems running Native Access. A low-privileged user can exploit DYLIB injection in the ...

In lunary-ai/lunary version 1.2.2, a privilege escalation vulnerability allows users with 'viewer' role to hijack other user accounts by obtaining pas...

This CVE describes a heap buffer overflow vulnerability in wlan (wireless LAN) components that allows remote attackers to execute arbitrary code witho...

An unauthenticated attacker can upload arbitrary files to MagicInfo9 Server, leading to remote code execution and privilege escalation. This affects M...

CVE-2026-24788 is an OS command injection vulnerability in RaspAP raspap-webgui that allows authenticated users to execute arbitrary commands on the u...

OpenClaw (also known as clawdbot or Moltbot) versions before 2026.1.29 automatically establish WebSocket connections using gatewayUrl values from quer...

CVE-2020-37032 is a remote code execution vulnerability in Wing FTP Server's Lua-based web console that allows authenticated attackers to execute arbi...

A SQL injection vulnerability in ChurchCRM allows any authenticated user, even with zero permissions, to execute arbitrary SQL commands through the Pa...

A remote buffer overflow vulnerability in Totolink A3600R routers allows attackers to execute arbitrary code by manipulating the apcliSsid parameter i...

This CVE describes a stack-based buffer overflow vulnerability in Tenda AC21 routers running firmware version 16.03.08.16. Attackers can remotely expl...

This vulnerability allows Creator-level users in Budibase to bypass UI restrictions and invite new users with any role (including Admin) via API manip...

CVE-2026-25047 is a prototype pollution vulnerability in the deephas npm package version 1.0.7 that allows attackers to modify JavaScript object proto...

A Server-Side Template Injection vulnerability in Amidaware Tactical RMM allows low-privileged users with Report Viewer or Report Manager permissions ...

This vulnerability allows authenticated attackers to exploit a buffer overflow in TP-Link VIGI C385 V1's web API due to insufficient input sanitizatio...

A vulnerability in the TP-Link VX800v v1.0 web interface allows attackers on the same network to brute-force weak AES encryption keys and decrypt inte...

This vulnerability allows authenticated users in AutoGPT Platform to execute disabled BlockInstallationBlock components, which write arbitrary Python ...

OpenProject versions before 16.6.6 and 17.0.2 have a command injection vulnerability that allows authenticated users with repository browsing permissi...

This CVE describes an out-of-bounds write vulnerability in Xen's shadow mode tracing code where guest-controlled data can be written beyond allocated ...

The Simple User Registration WordPress plugin allows authenticated attackers with minimal permissions (like subscribers) to escalate their privileges ...