🔥 Trending CVEs - Last 90 Days

This vulnerability allows attackers to include local files on the server through PHP's include/require statements in the Mella WordPress theme. Attack...

This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in Tutor LMS WordPress plugin that allows attackers to bypass authorizatio...

This vulnerability allows remote code execution through malicious YAML input in docling-core library versions 2.21.0 to 2.48.3. Attackers can execute ...

This vulnerability allows attackers to upload malicious files to Teknoera software, potentially leading to file content injection attacks. It affects ...

This vulnerability allows attackers to bypass two-factor authentication in Horilla HRMS by omitting the OTP field from authentication requests. When t...

Fleet device management software versions before 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 have broken access control that allows any authenticated u...

This vulnerability in Oracle VM VirtualBox allows a high-privileged attacker with local access to the host system to compromise VirtualBox, potentiall...

This vulnerability in Oracle FLEXCUBE Investor Servicing allows authenticated attackers with low privileges to perform unauthorized data manipulation ...

The Nexter Extension plugin for WordPress has a PHP object injection vulnerability that allows unauthenticated attackers to inject malicious PHP objec...

This vulnerability allows authenticated attackers with customer-level permissions or higher to access and modify other vendors' store settings in the ...

A heap buffer overflow vulnerability in ImageMagick's XBM image decoder allows attackers to write controlled data beyond allocated memory boundaries w...

CVE-2026-23846 is a sensitive information exposure vulnerability in Tugtainer where passwords are transmitted via URL query parameters instead of secu...

This vulnerability in strongSwan's eap-mschapv2 plugin allows a malicious EAP-MSCHAPv2 server to trigger an integer underflow and heap-based buffer ov...

This vulnerability involves an incorrect implementation of an authentication algorithm in ABB Ability OPTIMAX, potentially allowing attackers to bypas...

This vulnerability allows attackers to bypass Deno's security restrictions on Windows by using case variations in file extensions (.BAT, .Bat instead ...

CVE-2025-66292 is an arbitrary file deletion vulnerability in DPanel server management panel. Authenticated users can delete any file on the server vi...

This CVE describes a race condition vulnerability in FreeRDP's serial channel IRP thread tracking that allows heap use-after-free. Attackers could exp...

This vulnerability allows an unauthorized attacker to execute arbitrary code on Windows Server Update Service (WSUS) servers by sending specially craf...

A heap-based buffer overflow vulnerability in multiple Fortinet products allows attackers to execute arbitrary code or commands via specially crafted ...

This CVE describes memory safety bugs in Firefox and Thunderbird that could lead to memory corruption. With sufficient effort, attackers could potenti...

This CVE describes a mitigation bypass vulnerability in the DOM Security component of Mozilla products. It allows attackers to circumvent security pro...

This vulnerability allows attackers to bypass authorization controls in ManageEngine's privileged access management products when initiating remote se...

This vulnerability allows backend users with access to the recycler module to delete arbitrary data from any database table defined in TYPO3's TCA, re...

This CVE describes a Missing Authorization Check vulnerability in SAP ABAP systems that allows authenticated attackers to misuse RFC functions to exec...

CVE-2026-0511 is a missing authorization vulnerability in SAP Fiori App Intercompany Balance Reconciliation that allows authenticated users to escalat...

CVE-2025-68472 is an unauthenticated path traversal vulnerability in MindsDB's file upload API that allows attackers to read arbitrary files from the ...

An Insecure Direct Object Reference (IDOR) vulnerability in Viafirma Inbox v4.5.13 allows authenticated users without privileges to list all users, ac...

This vulnerability in Viafirma Documents v3.7.129 allows authenticated users without proper privileges to access other users' data, manipulate user ac...

MLFlow versions up to 3.4.0 are vulnerable to DNS rebinding attacks due to missing Origin header validation in the REST server. This allows malicious ...

This CVE describes a Missing XML Validation vulnerability in Apache Struts that allows attackers to inject malicious XML content. It affects Apache St...

This vulnerability allows attackers to bypass authentication in Apache NimBLE by sending specially crafted Security Request packets. An attacker can r...

This SQL injection vulnerability in GestSup allows authenticated attackers to manipulate database queries during ticket creation. Attackers can potent...

This SQL injection vulnerability in GestSup allows authenticated attackers to manipulate database queries through asset list parameters. Attackers can...

GestSup versions before 3.2.60 contain a SQL injection vulnerability in the search bar functionality. Authenticated attackers can manipulate database ...

A command injection vulnerability in GL-iNet GL-AXT1800 router firmware allows authenticated attackers to execute arbitrary commands with root privile...

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affec...

This vulnerability allows attackers to include local PHP files on servers running the Optimize WordPress theme, potentially leading to remote code exe...

This CVE describes a PHP Local File Inclusion vulnerability in the Curly WordPress theme by Mikado-Themes. Attackers can include arbitrary local files...

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affec...

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affec...

This CVE describes a Missing Authorization vulnerability in the Traveler WordPress theme that allows attackers to bypass access controls. It affects a...

This vulnerability allows attackers to bypass authorization controls in Woffice Core by manipulating user-controlled keys, potentially accessing unaut...

This CVE describes a Missing Authorization vulnerability in the WP Attractive Donations System WordPress plugin that allows attackers to delete arbitr...

A race condition vulnerability in axios4go Go HTTP client library allows concurrent requests to mutate shared HTTP client configuration without synchr...

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affec...

This vulnerability allows attackers to include local files on the server through improper filename control in PHP's include/require statements. It aff...

This heap buffer over-read vulnerability in wolfSSH's wolfSSH_CleanPath() function allows authenticated remote attackers to read one byte beyond alloc...

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affec...

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affec...

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affec...