🔥 Trending CVEs - Last 90 Days

In LavinMQ versions before 2.6.8, authenticated users with the 'Policymaker' management tag can bypass access controls to create shovels, allowing the...

A buffer overflow vulnerability in Qsync Central allows authenticated remote attackers to modify memory or crash processes. This affects all Qsync Cen...

A buffer overflow vulnerability in Qsync Central allows authenticated remote attackers to modify memory or crash processes. This affects all Qsync Cen...

A buffer overflow vulnerability in Qsync Central allows authenticated remote attackers to modify memory or crash processes. This affects all QNAP Qsyn...

A buffer overflow vulnerability in QNAP operating systems allows authenticated remote attackers to modify memory or crash processes. This affects user...

This vulnerability allows an unauthorized attacker to execute arbitrary code over a network by exploiting improper certificate validation in Azure Loc...

This vulnerability allows unauthenticated attackers to bypass LDAP authentication for Agentless VPN or FSSO policies in Fortinet FortiOS when the remo...

In File Browser versions before 2.57.1, authenticated users can bypass file access restrictions by adding extra slashes to file paths in requests. Thi...

This vulnerability in Keycloak allows attackers to modify invitation token payloads to self-register into unauthorized organizations. Attackers can ex...

This vulnerability in Nebula overlay networking tool allows attackers to bypass certificate blocklist entries when using P256 certificates (non-defaul...

CVE-2026-24135 is a path traversal vulnerability in Gogs self-hosted Git service that allows authenticated users with wiki write access to delete arbi...

Axigen Mail Server versions before 10.5.57 contain an improper access control vulnerability in the WebAdmin interface. A delegated admin account with ...

AutoGPT versions before beta-v0.6.46 log API keys and authentication secrets in plaintext when using Stagehand integration blocks. This exposes sensit...

OpenSlides versions before 4.2.29 have an authentication bypass vulnerability where users synced via external SAML identity providers can be logged in...

This vulnerability in n8n workflow automation platform allows attackers to write files to unintended locations on remote systems via SSH nodes, potent...

This vulnerability in Ziroom ZHOME A0101 devices allows attackers to gain unauthorized access via SSH using default credentials in the Dropbear SSH se...

A misconfiguration in TP-Link Archer AX53 v1.0's SSH hostkey implementation allows attackers to perform man-in-the-middle attacks to capture device cr...

This authentication bypass vulnerability in Moodle allows suspended users to authenticate through the LTI Provider, enabling unauthorized access to th...

This vulnerability allows authenticated attackers with Tutor Instructor-level access or higher to modify or delete arbitrary courses they do not own b...

PolarLearn's OAuth 2.0 implementation for GitHub and Google login is vulnerable to Login CSRF due to missing state parameter validation. This allows a...

This vulnerability in jsPDF allows attackers to inject arbitrary PDF objects, including JavaScript actions, through user-controlled input to specific ...

OpenList Frontend versions before 4.1.10 have TLS certificate verification disabled by default for storage communications, allowing Man-in-the-Middle ...

A vulnerability in fog-kubevirt allows remote attackers to perform Man-in-the-Middle attacks by intercepting communications between Satellite and Open...

This vulnerability in foreman_kubevirt disables SSL certificate verification by default when connecting to OpenShift without an explicitly set CA cert...

Simple CMS 2.1 contains a remote SQL injection vulnerability in the users module that allows authenticated attackers to execute arbitrary SQL commands...

PHP Melody 3.0 contains a remote SQL injection vulnerability in the video edit module that allows authenticated attackers to execute arbitrary SQL com...

Mult-E-Cart Ultimate 2.4 contains SQL injection vulnerabilities in multiple modules (inventory, customer, vendor, order) where attackers with vendor o...

The Tenda AX12 Pro V2 router contains hard-coded credentials in its Telnet service, allowing remote attackers to gain unauthorized access. This affect...

This vulnerability in the Custom Login Page Customizer WordPress plugin allows unauthenticated attackers to reset any user's password by knowing their...

This CSRF vulnerability in Drupal Acquia Content Hub allows attackers to trick authenticated administrators into performing unintended actions by craf...

A Cross-Site Request Forgery (CSRF) vulnerability in the Drupal Login Time Restriction module allows attackers to trick authenticated users into perfo...

SolarWinds Web Help Desk contains a security control bypass vulnerability that allows unauthenticated attackers to access restricted functionality. Th...

ConvertX versions before 0.17.0 have a path traversal vulnerability in the /delete endpoint that allows attackers to delete arbitrary files on the ser...

This vulnerability in GnuPG allows attackers to trigger a stack-based buffer overflow by sending specially crafted CMS/S-MIME messages with oversized ...

This CVE describes an authorization bypass in Grafana's dashboard permissions API where permission checks only validate the action permission without ...

This CVE describes a Missing Authorization vulnerability in the Tablesome WordPress plugin that allows attackers to bypass access controls and perform...

This vulnerability allows remote attackers to execute arbitrary code with root privileges on GPT Academic installations by exploiting insecure deseria...

This CVE describes a missing authorization vulnerability in the WP Recipe Maker WordPress plugin that allows attackers to bypass access controls. It a...

This CVE describes a missing authorization vulnerability in the WordPress User Registration plugin that allows attackers to exploit incorrectly config...

Dell PowerScale OneFS versions before 9.13.0.0 have a vulnerability where attackers can bypass authentication rate limiting. Unauthenticated remote at...

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affec...

This vulnerability allows attackers to include local files on the server through PHP's include/require statements in the Malta WordPress theme. Attack...

This path traversal vulnerability in VibeThemes WPLMS plugin allows attackers to delete arbitrary files on WordPress sites. It affects all WordPress i...

This vulnerability allows attackers to include local PHP files through improper filename control in the North WordPress theme. Attackers can potential...

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affec...

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affec...

This vulnerability allows attackers to include local files on the server through improper filename control in PHP's include/require statements. It aff...

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affec...

This vulnerability allows attackers to include local PHP files through improper filename control in the Yolox WordPress theme. Attackers can potential...

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affec...