🔥 Trending CVEs - Last 90 Days

This vulnerability allows attackers to upload malicious files to WordPress sites using the Blogzee theme, potentially leading to complete system compr...

This vulnerability allows attackers to upload malicious files to WordPress sites using the Real Homes CRM plugin. Attackers can exploit this to execut...

This vulnerability allows attackers to upload arbitrary files to WordPress sites using the Blogmatic theme, potentially leading to remote code executi...

The WordPress News Event theme (versions up to 1.0.1) contains an unrestricted file upload vulnerability that allows attackers to upload arbitrary fil...

A command injection vulnerability in Wrangler's `pages deploy` command allows attackers who control the `--commit-hash` parameter to execute arbitrary...

A command injection vulnerability in Zoom Node Multimedia Routers allows meeting participants to execute arbitrary commands on the MMR system via netw...

CVE-2026-23836 is a critical remote code execution vulnerability in HotCRP conference review software. It allows authenticated users to execute arbitr...

This vulnerability in OpenStack keystonemiddleware allows authenticated attackers to forge identity headers like X-Is-Admin-Project, X-Roles, or X-Use...

This vulnerability allows authenticated attackers to upload malicious PHP files as attachments in InvoicePlane, which can then be executed remotely to...

This critical vulnerability allows attackers to bypass security controls and access the host filesystem, enabling unauthorized reading and modificatio...

A privilege escalation vulnerability in Automai Director v.25.2.0 allows remote attackers to gain elevated privileges on affected systems. This affect...

CVE-2026-22688 is a command injection vulnerability in WeKnora that allows authenticated users to inject malicious commands into MCP stdio settings, c...

This vulnerability allows authenticated attackers to execute arbitrary code on n8n workflow automation platforms, leading to full system compromise. I...

This vulnerability allows attackers to upload arbitrary files, including web shells, to WordPress sites using affected Themify themes. It enables remo...

This vulnerability allows low-privileged users in Coolify to view the root user's private SSH key, enabling them to authenticate as root on the server...

CVE-2025-59157 is a command injection vulnerability in Coolify's Git Repository field during project creation. Unauthenticated user input is not prope...

This vulnerability allows attackers to upload arbitrary files, including web shells, to servers running vulnerable versions of the MapSVG WordPress pl...

This vulnerability allows remote code execution through improper input validation in the IF AS Shortcode WordPress plugin. Attackers can inject malici...

StreamVault versions before 251126 contain a remote code execution vulnerability that allows attackers to execute arbitrary commands on the server. Ad...

This CVE describes a sandbox bypass vulnerability in n8n's Python Code Node that allows authenticated users with workflow creation/modification permis...

CVE-2025-66209 is an authenticated command injection vulnerability in Coolify's Database Backup functionality. It allows users with application/servic...

This CVE describes an elevation of privilege vulnerability in Microsoft's Custom Question Answering service. Attackers can exploit this to gain unauth...

This vulnerability allows attackers to upload malicious files to WordPress sites using the Motors theme. It affects all Motors theme installations fro...

ChurchCRM versions before 6.5.3 expose sensitive database credentials in error messages, allowing attackers to obtain database host, IP, username, and...

This vulnerability allows local unprivileged users on Windows systems to manipulate privileged DriveLock processes, enabling privilege escalation. Att...

An authenticated arbitrary file upload vulnerability in Pagekit CMS v1.0.18 allows attackers to upload malicious PHP files and execute arbitrary code ...

This critical vulnerability in Crafty Controller's Webhook Template component allows authenticated attackers to execute arbitrary code on the server t...

This vulnerability in Open edX Platform allows CourseLimitedStaffRole users to access and edit courses in Studio when granted organization-level permi...

CVE-2025-42880 is a critical remote code execution vulnerability in SAP Solution Manager where authenticated attackers can inject malicious code throu...

This critical vulnerability allows unauthenticated attackers to read and write sensitive files via AppEngine's HTTP-based file access feature. Attacke...

CVE-2026-29058 is a critical remote code execution vulnerability in AVideo video-sharing platform where unauthenticated attackers can execute arbitrar...

CVE-2026-28501 is an unauthenticated SQL injection vulnerability in WWBN AVideo that allows attackers to execute arbitrary SQL commands without authen...

This is a critical remote code execution vulnerability in Microsoft Devices Pricing Program that allows attackers to execute arbitrary code on affecte...

This vulnerability allows attackers to bypass allowlist restrictions in Nextcloud Talk by changing their display name to match an allowlisted user ID....

OpenClaw versions before 2026.2.2 have a command injection vulnerability where attackers can bypass allowlist restrictions by using Windows cmd.exe me...

Nginx UI versions before 2.3.3 expose an unauthenticated API endpoint that discloses encryption keys in response headers, allowing attackers to downlo...

The Database for Contact Form 7, WPforms, Elementor forms WordPress plugin is vulnerable to PHP Object Injection via deserialization of untrusted inpu...

A stack buffer overflow vulnerability in D-Link DIR-513 routers allows remote attackers to execute arbitrary code via the curTime parameter in the gof...

OpenSTAManager versions 2.9.8 and earlier contain an authentication bypass and privilege escalation vulnerability that allows attackers to arbitrarily...

This CVE describes a remote command injection vulnerability in D-Link DIR-868L routers via the SSDP service. Attackers can execute arbitrary operating...

An authentication bypass vulnerability in Weintek cMT-3072XH2 HMI devices allows unauthorized attackers to perform administrative actions using servic...

A heap-based buffer overflow vulnerability in libbiosig's Intan CLP parsing allows arbitrary code execution when processing malicious files. This affe...

OpenMQ's management service ships with default admin credentials (admin/admin) that are never forced to change, allowing remote attackers who can reac...

This vulnerability allows unauthenticated attackers to create administrator accounts on WordPress sites using the User Registration & Membership plugi...

The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress has an authentication bypass vulnerability that allows unauthenticat...

This vulnerability allows remote code execution in Chamilo LMS by exploiting unfiltered parameter evaluation in SOAP requests. Attackers can execute a...

SimStudio versions below 0.5.74 have MongoDB tool endpoints that accept arbitrary connection parameters without authentication or host restrictions. T...

U-Office Force software has an insecure deserialization vulnerability that allows unauthenticated attackers to remotely execute arbitrary code on affe...

CVE-2026-2999 is a critical remote code execution vulnerability in IDExpert Windows Logon Agent that allows unauthenticated attackers to force the sys...

CVE-2026-27975 is an unauthenticated remote code execution vulnerability in Ajenti server admin panel. Attackers can execute arbitrary code on servers...