🔥 Trending CVEs - Last 7 Days

An argument injection vulnerability in bird-lg-go's traceroute module allows remote attackers to inject arbitrary command-line flags via the q paramet...

This SQL injection vulnerability in the JS Help Desk WordPress plugin allows unauthenticated attackers to inject malicious SQL queries via a cookie pa...

This vulnerability allows unauthenticated attackers to cause CPU exhaustion denial-of-service by sending specially crafted JWE tokens with extremely h...

This vulnerability allows unauthenticated attackers to download arbitrary files from Weintek cMT-3072XH2 HMI devices via the download_wb.cgi component...

This vulnerability allows unauthenticated attackers to bypass signature verification in PKCS7 objects with Authenticated Attributes in AWS-LC. It affe...

A certificate validation bypass vulnerability in AWS-LC's PKCS7_verify() function allows unauthenticated attackers to bypass certificate chain verific...

This vulnerability allows attackers to bypass authentication rate limiting in HomeBox by forging IP headers, enabling brute-force attacks on login cre...

This vulnerability allows attackers to inject malicious HTML/JavaScript into Kestra's execution-file preview feature, leading to cross-site scripting ...

This WebSocket vulnerability allows session hijacking in charging station management systems by enabling multiple connections with the same predictabl...

This WebSocket vulnerability allows session hijacking by connecting with predictable charging station identifiers, enabling attackers to impersonate l...

This CVE describes a local privilege escalation vulnerability in Acronis Cyber Protect 17 for Windows due to improper handling of symbolic links. Atta...

This CVE describes a local privilege escalation vulnerability in Acronis Cyber Protect 17 for Windows due to improper handling of symbolic links. An a...

This CVE describes a local privilege escalation vulnerability in Acronis Cyber Protect Cloud Agent for Windows. Attackers can exploit DLL hijacking to...

This CVE describes a DOM-based cross-site scripting (XSS) vulnerability in Gogs self-hosted Git service. Attackers can inject malicious JavaScript int...

A permission bypass vulnerability in Huawei's system service framework allows attackers to circumvent intended access controls. This affects availabil...

This SQL injection vulnerability in itsourcecode University Management System 1.0 allows attackers to manipulate database queries through the ID param...

This SQL injection vulnerability in itsourcecode University Management System 1.0 allows attackers to manipulate database queries through the /admin_s...

This CVE-2026-3409 vulnerability allows remote attackers to execute arbitrary code through a code injection flaw in the Flow Import Endpoint of eospho...

This SQL injection vulnerability in Online Art Gallery Shop 1.0 allows attackers to manipulate database queries through the registration form's fname ...

This vulnerability allows remote attackers to execute arbitrary code on MaxSite CMS installations through a code injection flaw in the MarkItUp Previe...

The WP App Bar WordPress plugin has a stored XSS vulnerability that allows unauthenticated attackers to inject malicious scripts into plugin settings....

The Meta Box WordPress plugin has an arbitrary file deletion vulnerability that allows authenticated attackers with Contributor-level access or higher...

The Easy PHP Settings WordPress plugin allows authenticated attackers with Administrator privileges to inject arbitrary PHP code into wp-config.php vi...

Chartbrew versions before 4.8.1 contain a remote code execution vulnerability in MongoDB dataset queries. Attackers can execute arbitrary code on the ...

A remote stack-based buffer overflow vulnerability in Wavlink WL-NU516U1 router's login.cgi component allows attackers to execute arbitrary code by ma...

This CVE describes a command injection vulnerability in Wavlink WL-NU516U1 routers that allows remote attackers to execute arbitrary commands on affec...

The Fluent Forms Pro WordPress plugin has a stored XSS vulnerability that allows unauthenticated attackers to inject malicious scripts into draft form...

This vulnerability allows authenticated local administrators in one context of Cisco ASA multi-context mode to copy files to/from other contexts via S...

This Server-Side Request Forgery (SSRF) vulnerability in the PostX WordPress plugin allows authenticated attackers with Administrator privileges to ma...

The WPBookit WordPress plugin has a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts into w...

Multiple authenticated OS command injection vulnerabilities in Cohesity TranZman 4.0 allow authenticated admin users to execute arbitrary commands wit...

This vulnerability allows attackers to escalate privileges to root and read/write arbitrary files on Cohesity TranZman Migration Appliance systems due...

CVE-2025-63911 is an authenticated command injection vulnerability in Cohesity TranZman Migration Appliance Release 4.0 Build 14614. This allows authe...

This vulnerability allows authenticated WordPress administrators to perform server-side request forgery (SSRF) attacks via the Uncanny Automator plugi...

Facturation System 1.0 contains an SQL injection vulnerability in the editar_producto.php endpoint that allows authenticated attackers to execute arbi...

Maitra 1.7.2 contains an SQL injection vulnerability in the mailid parameter of outmail and inmail modules, allowing authenticated attackers to execut...

Galaxy Forces MMORPG 0.5.8 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries through the 't...

This vulnerability involves default credentials for a local privileged user in Acronis Cyber Protect virtual appliances. Attackers can gain administra...

OpenClaw versions before 2026.2.12 have a path traversal vulnerability where authenticated attackers can use unsanitized sessionId or sessionFile para...

OpenClaw versions before 2026.2.14 have an OAuth state validation bypass in the manual Chutes login flow that allows attackers to bypass CSRF protecti...

OpenClaw versions before 2026.2.12 have an arbitrary file write vulnerability where authenticated gateway clients can manipulate the sessionFile path ...

This vulnerability in Frappe framework allows authenticated users to share documents with permissions they don't possess, potentially granting unautho...

This CVE describes an improper verification vulnerability in Huawei email applications that could allow attackers to access sensitive information. The...

CVE-2019-25503 is an unauthenticated SQL injection vulnerability in PHPads 2.0 that allows attackers to execute arbitrary SQL queries through the bann...

Tradebox 5.4 contains an SQL injection vulnerability in the monthly_deposit endpoint's symbol parameter that allows authenticated attackers to execute...

This XML External Entity (XXE) vulnerability in IBM InfoSphere Information Server allows attackers to read sensitive files from the server by exploiti...

This vulnerability allows authenticated local users in ZimaOS to craft requests targeting internal IP addresses and services, potentially accessing HT...

This cryptographic vulnerability in Qualcomm chipsets allows the High-Level Operating System (HLOS) to access the boot loader's certificate chain thro...