🔥 Trending CVEs - Last 7 Days

OpenClaw versions 2026.1.29-beta.1 through 2026.2.1 contain a path traversal vulnerability in plugin installation. Attackers can craft malicious plugi...

This vulnerability in the WordPress Restrict Content plugin allows unauthenticated attackers to register with any membership level, including inactive...

This SQL injection vulnerability in Cisco Secure FMC's web management interface allows authenticated attackers to execute arbitrary SQL commands. Atta...

A heap-based buffer overflow vulnerability in libbiosig's Nicolet WFT file parser allows arbitrary code execution when processing malicious .wft files...

This vulnerability allows cross-site scripting (XSS) attacks in MarkUs assignment submission system. Attackers can inject malicious scripts into stude...

This vulnerability allows local attackers to escalate privileges on macOS systems by exploiting insecure Unix socket permissions in Acronis Cyber Prot...

CVE-2026-26034 is an incorrect default permissions vulnerability in Dell UPS Multi-UPS Management Console (MUMC) that allows attackers to execute arbi...

Delta Electronics CNCSoft-G2 has a file parsing vulnerability that allows out-of-bounds write when processing malicious files. This enables remote cod...

OpenViking versions 0.2.1 and earlier contain a path traversal vulnerability in .ovpack import handling that allows attackers to write arbitrary files...

This CVE describes a memory corruption vulnerability in alignment-based memory allocation functions. Attackers can exploit this to execute arbitrary c...

This CVE describes a buffer overflow vulnerability in Qualcomm software where user-supplied data is added without proper bounds checking, leading to m...

This vulnerability allows memory corruption when accessing the trusted execution environment (TEE) without proper privilege checks. Attackers could po...

This vulnerability allows memory corruption when multiple processes concurrently access shared buffers through IOCTL calls in Qualcomm drivers. Attack...

This vulnerability allows memory corruption when multiple processes concurrently access a shared buffer during IOCTL calls in Qualcomm components. Att...

This CVE describes a memory corruption vulnerability in Qualcomm Trusted Application (TA) invocation where accessing buffers with invalid length can l...

Flowise versions before 3.0.13 contain an unauthenticated database injection vulnerability that allows attackers to manipulate internal database field...

OpenClaw sandbox browser bridge server accepts requests without gateway authentication, allowing local attackers to access browser control endpoints. ...

OpenClaw versions 2.0.0-beta3 through 2026.2.13 contain a path traversal vulnerability in the hook transform module loading mechanism. Attackers with ...

This vulnerability allows authenticated remote attackers with VPN access to cause Cisco ASA/FTD devices to crash and reload by sending specially craft...

This vulnerability allows authenticated remote attackers to cause denial of service on Cisco ASA and FTD firewalls by sending specially crafted GCM-en...

This vulnerability in Cisco Secure Firewall ASA and FTD software allows authenticated VPN users to send specially crafted IKEv2 packets that cause mem...

Ghost CMS versions 0.7.2 through 6.19.0 contain a vulnerability where malicious themes can execute arbitrary code on the server. This allows attackers...

Textream macOS teleprompter app versions before 1.5.1 have a WebSocket server that doesn't validate the Origin header, allowing malicious web pages to...

The JS Archive List WordPress plugin is vulnerable to PHP object injection through the 'included' shortcode attribute. Authenticated attackers with Co...

This SQL injection vulnerability in the WordPress ZIP Code Based Content Protection plugin allows unauthenticated attackers to inject malicious SQL qu...

This vulnerability allows attackers to bypass route-based middleware protections in @hono/node-server applications by using URL-encoded slashes (%2F) ...

This vulnerability allows attackers to bypass rate limiting on WebSocket authentication requests, enabling denial-of-service attacks that disrupt legi...

A denial of service vulnerability in CoreDNS's loop detection plugin allows attackers to crash DNS servers by sending specially crafted DNS queries. T...

An absolute path traversal vulnerability in Navtor NavBox allows unauthenticated remote attackers to read arbitrary files from the filesystem. This af...

Mongoose Web Server 6.9 contains a denial of service vulnerability where remote attackers can crash the service by establishing multiple socket connec...

Easyndexer 1.0 contains an unauthenticated arbitrary file download vulnerability that allows attackers to retrieve sensitive system files by manipulat...

AMPPS 2.7 contains a denial of service vulnerability where remote attackers can crash the service by sending malformed data to the default HTTP port. ...

SVGO versions 2.1.0-2.8.0, 3.0.0-3.3.2, and before 4.0.1 are vulnerable to XML entity expansion attacks. Attackers can craft small malicious SVG files...

This CVE describes a path traversal vulnerability in Talishar, a fan-made Flesh and Blood project, where the ParseGamestate.php component can be acces...

This CVE describes a WebSocket API vulnerability where missing rate limiting on authentication requests allows attackers to conduct denial-of-service ...

OpenClaw versions before 2026.2.15 use deprecated SHA-1 hashing for sandbox identifier cache keys, making them vulnerable to collision attacks. Attack...

OpenClaw versions before 2026.2.14 have a webhook routing vulnerability in the Google Chat monitor component that allows attackers to misroute webhook...

OpenClaw versions before 2026.2.13 contain a path traversal vulnerability in browser control API endpoints that handle trace and download files. Attac...

OpenClaw versions before 2026.2.2 fail to validate Telegram webhook secrets, allowing unauthenticated attackers to send forged Telegram updates. This ...

CVE-2026-28789 is an unauthenticated denial-of-service vulnerability in OliveTin's OAuth2 login flow. Attackers can crash the service by sending concu...

CVE-2026-28342 is an unauthenticated denial-of-service vulnerability in OliveTin's PasswordHash API endpoint. Attackers can send concurrent password h...

This vulnerability allows remote unauthenticated attackers to bypass Traefik's protection mechanisms and remove critical X-Forwarded headers that iden...

This vulnerability allows remote unauthenticated attackers to cause denial of service in Traefik by exploiting a TLS handshake flaw. Attackers can sen...

This vulnerability in Eclipse Jetty's GzipHandler causes a memory leak when processing compressed HTTP requests without compressed responses. Attacker...

This vulnerability in Hono web framework allows attackers to bypass route-based middleware protections (like authentication) for static files by using...

This vulnerability in cpp-httplib allows attackers to bypass configured payload size limits by sending compressed HTTP requests. When using streaming ...

An argument injection vulnerability in bird-lg-go's traceroute module allows remote attackers to inject arbitrary command-line flags via the q paramet...

This SQL injection vulnerability in the JS Help Desk WordPress plugin allows unauthenticated attackers to inject malicious SQL queries via a cookie pa...

This vulnerability allows unauthenticated attackers to cause CPU exhaustion denial-of-service by sending specially crafted JWE tokens with extremely h...

This vulnerability allows unauthenticated attackers to download arbitrary files from Weintek cMT-3072XH2 HMI devices via the download_wb.cgi component...