🔥 Trending CVEs - Last 90 Days

This vulnerability allows an attacker to read memory outside the intended buffer in Microsoft Office Word, potentially leading to arbitrary code execu...

This vulnerability allows authenticated attackers with 'User Administration' permissions to execute arbitrary operating system commands on Progress Lo...

This CVE describes an OS command injection vulnerability in Progress LoadMaster's API that allows authenticated attackers with 'User Administration' p...

This CVE describes an OS command injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK. An authenticated attacker with a...

A cryptographic vulnerability in license data encryption could allow attackers to decrypt or manipulate license information. This affects systems usin...

A buffer overflow vulnerability in the WiFi driver of Samsung Exynos 1380, 1480, 2400, and 1580 mobile processors allows attackers to execute arbitrar...

A buffer overflow vulnerability in Samsung Exynos mobile processors allows attackers to execute arbitrary code or cause denial of service by sending s...

A stored Cross-Site Scripting (XSS) vulnerability in Bagisto eCommerce platform allows attackers to inject malicious JavaScript into CMS pages by bypa...

This vulnerability in Zillya Total Security allows low-privileged users to escalate privileges by exploiting the quarantine module's file restoration ...

CVE-2023-53965 is an unquoted service path vulnerability in SOUND4 Server Service 4.1.102 that allows local non-privileged users to escalate privilege...

CVE-2022-50688 is an unquoted service path vulnerability in Cobian Backup Gravity that allows local attackers to execute arbitrary code with SYSTEM pr...

Wondershare MirrorGo 2.0.11.346 has insecure file permissions on ElevationService.exe, allowing local unprivileged users to replace it with malicious ...

This vulnerability in Radiometer medical analyzers allows attackers with physical access to extract credential information due to insufficient credent...

CVE-2025-67750 is a remote code execution vulnerability in Lightning Flow Scanner where maliciously crafted flow metadata files can execute arbitrary ...

OpenClaw versions before 2026.2.14 contain a server-side request forgery vulnerability in the Tlon Urbit extension. Attackers who can influence the co...

This vulnerability allows managers in Vaultwarden to escalate their privileges by modifying permissions for collections they shouldn't have access to....

A stored cross-site scripting (XSS) vulnerability in Chamilo LMS allows teachers to inject malicious JavaScript into the glossary function, which exec...

This vulnerability allows authenticated attackers to execute arbitrary SQL commands through the search report option in ManageEngine ADSelfService Plu...

The eBay API MCP Server is vulnerable to environment variable injection through the updateEnvFile function, which doesn't validate input for newlines ...

This vulnerability in PanCafe Pro allows attackers to flood the system by exploiting cleartext transmission of sensitive information, potentially caus...

This CVE describes a Cross-Site Scripting (XSS) vulnerability in Saastech Cleaning and Internet Services Inc.'s TemizlikYolda software. Attackers can ...

This vulnerability in Parsec's RustCrypto backend allows man-in-the-middle attackers to bypass cryptographic authentication by providing weak order po...

A second-order SQL injection vulnerability in Hibernate's InlineIdsOrClauseBuilder allows remote attackers with low privileges to execute arbitrary SQ...

An integer overflow vulnerability in EVerest EV charging software allows attackers to trigger either infinite loops or stack buffer overflows by sendi...

Koko Analytics WordPress plugin versions before 2.1.3 allow arbitrary SQL execution through unescaped analytics data and permissive SQL import functio...

This Server-Side Template Injection vulnerability in Mintlify's MDX Rendering Engine allows attackers to execute arbitrary code by injecting malicious...

This cross-site scripting (XSS) vulnerability in Azure Cosmos DB allows attackers to inject malicious scripts into web pages generated by the database...

This vulnerability allows any authenticated user in ChurchCRM to perform Kiosk Manager actions like allowing/accepting kiosk registrations, reloading ...

A vulnerability in NGINX Ingress Controller's nginx.org/rewrite-target annotation validation allows path traversal attacks. This affects Kubernetes cl...

FNT Command 13.4.0 contains a directory traversal vulnerability (CWE-434) that allows attackers to access files outside the intended directory. This a...

This TOCTOU race condition vulnerability in Sylius eCommerce Framework allows attackers to bypass promotion and coupon usage limits by sending concurr...

CVE-2026-27826 allows unauthenticated attackers to force the MCP Atlassian server to make arbitrary outbound HTTP requests by sending two custom HTTP ...

This vulnerability in ZITADEL's login interface allows users to bypass configured security policies and self-register accounts or use password authent...

A path traversal vulnerability in Zarf's archive extraction allows malicious packages to create symlinks pointing outside the destination directory, e...

OOP CMS BLOG 1.0 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries through search,...

CVE-2018-25196 is an SQL injection vulnerability in ServerZilla 1.0 that allows unauthenticated attackers to manipulate database queries through the e...

CVE-2018-25187 allows unauthenticated attackers to directly download the kim.db database file containing user credentials and password hashes, and exe...

CVE-2018-25189 is an SQL injection vulnerability in Data Center Audit 2.6.2 that allows unauthenticated attackers to execute arbitrary SQL queries thr...

CVE-2018-25182 is an SQL injection vulnerability in Silurus Classifieds Script 2.0 that allows unauthenticated attackers to execute arbitrary SQL quer...

CVE-2018-25175 is an SQL injection vulnerability in Alienor Web Libre 2.0 that allows unauthenticated attackers to execute arbitrary SQL queries throu...

CVE-2018-25171 is an unauthenticated SQL injection vulnerability in EdTv 2 that allows attackers to execute arbitrary SQL queries through the 'id' par...

Rmedia SMS 1.0 contains an unauthenticated SQL injection vulnerability in the editgrp.php endpoint. Attackers can extract database schema information ...

CVE-2018-25167 is an SQL injection vulnerability in Net-Billetterie 2.9 that allows unauthenticated attackers to execute arbitrary SQL queries through...

CVE-2018-25163 is an SQL injection vulnerability in BitZoom 1.0 that allows unauthenticated attackers to execute arbitrary SQL queries through the rol...

Warranty Tracking System 11.06.3 contains an SQL injection vulnerability in SearchCustomer.php that allows attackers to execute arbitrary SQL queries ...

This vulnerability in OneUptime allows attackers to bypass two-factor authentication by replaying stolen WebAuthn assertions. The flaw occurs because ...

Ashop Shopping Cart Software contains an unauthenticated SQL injection vulnerability in the 'shop' parameter of index.php. Attackers can extract sensi...

Simple Job Script contains an unauthenticated SQL injection vulnerability in the landing_location parameter of the searched endpoint. Attackers can se...

Simple Job Script contains an unauthenticated SQL injection vulnerability in the register-recruiters endpoint via the employerid parameter. Attackers ...

CVE-2026-28562 is an unauthenticated SQL injection vulnerability in wpForo WordPress plugin versions 2.4.14 and earlier. Attackers can exploit the wpf...