🔥 Trending CVEs - Last 90 Days

This vulnerability allows attackers to include local PHP files through improper filename control in the Jack Well WordPress theme. Attackers can read ...

This vulnerability allows attackers to include local PHP files through improper filename control in the Hanani WordPress theme. Attackers can potentia...

This vulnerability allows attackers to include local files on the server through PHP's include/require statements in the ShieldGroup WordPress theme. ...

A stored XSS vulnerability in Open Source Point of Sale allows attackers with administrative access to inject malicious JavaScript into the Return Pol...

AVideo versions before 20.1 contain an insecure direct object reference vulnerability that allows authenticated users with upload permissions to modif...

CVE-2025-68154 is an OS command injection vulnerability in the systeminformation library for Node.js. On Windows systems, the fsSize() function improp...

The WPCOM Member WordPress plugin has an authentication bypass vulnerability that allows attackers to brute-force 6-digit OTP codes within a 10-minute...

CVE-2023-53881 is an unencrypted CWMP communication vulnerability in ReyeeOS that allows attackers to perform man-in-the-middle attacks. Attackers can...

This vulnerability allows attackers to upload malicious attachments that are served with HTML content types, enabling cross-site scripting (XSS) attac...

This vulnerability in Eclipse OMR's compiler component causes incorrect handling of NUL characters during charset translation on Z processors, leading...

NXLog Agent versions before 6.11 can be forced to load an attacker-controlled OpenSSL configuration file via the OPENSSL_CONF environment variable. Th...

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code on WordPress sites using the Extensive VC Addons plugin. Attackers c...

This CVE describes an authorization bypass vulnerability in Apache Fineract where attackers can manipulate user-controlled keys to access unauthorized...

This stored Cross-Site Scripting (XSS) vulnerability in Adobe Commerce allows high-privileged attackers to inject malicious JavaScript into vulnerable...

This vulnerability allows cross-site scripting (XSS) attacks in MarkUs assignment submission system. Attackers can inject malicious scripts into stude...

This vulnerability allows unauthenticated attackers to inject arbitrary scripts into GitLab's Mermaid diagram sandbox UI, potentially leading to cross...

This vulnerability in NVIDIA Cumulus Linux and NVOS allows low-privileged users to execute unauthorized commands through the NVUE interface, potential...

This stored cross-site scripting (XSS) vulnerability in Jenkins allows attackers with Agent/Configure or Agent/Disconnect permissions to inject malici...

This CVE describes a sandbox escape vulnerability in Cursor code editor versions prior to 2.5. A malicious AI agent could write to improperly protecte...

PostgreSQL Anonymizer extension contains a privilege escalation vulnerability where users can create malicious operators in schemas with CREATE permis...

This vulnerability in GitLab allows unauthenticated attackers to bypass validation in the Web IDE feature, potentially stealing authentication tokens ...

A time-of-check time-of-use race condition vulnerability in GitHub Copilot and Visual Studio allows authenticated attackers to execute arbitrary code ...

This vulnerability allows an authorized attacker to exploit improper input validation in Power BI to execute arbitrary code remotely over a network. O...

A heap-based buffer overflow vulnerability in TP-Link Archer AX53 v1.0 routers allows attackers on the same network to crash the device or potentially...

A heap-based buffer overflow vulnerability in TP-Link Archer AX53 v1.0 routers allows authenticated attackers on the same network to crash the device ...

A heap-based buffer overflow vulnerability in TP-Link Archer AX53 v1.0 routers allows authenticated attackers on the same network to crash the device ...

A heap-based buffer overflow vulnerability in TP-Link Archer AX53 v1.0 routers allows authenticated attackers on the same network to crash the device ...

A heap-based buffer overflow in TP-Link Archer AX53 v1.0's tmpserver modules allows authenticated attackers on the same network to crash the device or...

A heap-based buffer overflow in TP-Link Archer AX53 v1.0's tmpserver modules allows authenticated attackers on the same network to crash the device or...

A heap-based buffer overflow vulnerability in TP-Link Archer AX53 v1.0 routers allows authenticated attackers on the same network to crash the device ...

A heap-based buffer overflow vulnerability in TP-Link Archer AX53 v1.0 routers allows authenticated attackers on the same network to crash the device ...

This CVE describes a heap-based buffer overflow in the tmpserver modules of TP-Link Archer AX53 v1.0 routers. Authenticated attackers on the same loca...

A stored XSS vulnerability in FacturaScripts allows attackers to inject malicious JavaScript into the Observations field, which executes when administ...

An OS command injection vulnerability in TP-Link Archer BE230 routers allows adjacent authenticated attackers to execute arbitrary commands. This coul...

An OS command injection vulnerability in TP-Link Archer BE230 routers allows adjacent authenticated attackers to execute arbitrary commands. This coul...

An authenticated OS command injection vulnerability in TP-Link Archer BE230 routers allows attackers on the same network to execute arbitrary commands...

An authenticated OS command injection vulnerability in TP-Link Archer BE230 routers allows attackers on the same network to execute arbitrary commands...

An OS command injection vulnerability in TP-Link Archer BE230 routers allows adjacent authenticated attackers to execute arbitrary commands. Successfu...

CVE-2025-9974 is an OS command injection vulnerability in the unified WEBUI application of Nokia ONT/Beacon devices. Authenticated attackers with low ...

An improper access control vulnerability in Akın Software's QR Menu allows attackers to abuse authentication mechanisms, potentially gaining unauthor...

Dokploy versions before 0.26.6 contain hardcoded database credentials in the installation script, allowing attackers with network access to the databa...

Epiphany browser's external URL handler feature can be abused to exploit vulnerabilities in external applications, making them appear remotely exploit...

CVE-2026-24129 is a command injection vulnerability in Runtipi that allows authenticated users to execute arbitrary system commands on the host server...

This SQL injection vulnerability in Aida Computer Information Technology's Hotel Guest Hotspot software allows attackers to execute arbitrary SQL comm...

Horilla HRMS versions before 1.5.0 contain a critical file upload vulnerability that allows authenticated users to upload malicious HTML files disguis...

This vulnerability in Microsoft Power Apps allows authenticated attackers to execute arbitrary code remotely due to improper authorization checks. It ...

This vulnerability in the Weblate command-line client (wlc) allows a malicious Weblate server to write files to arbitrary locations on a client's syst...

A stored XSS vulnerability in Altium Workflow Engine allows authenticated users to inject malicious JavaScript into workflow data. When administrators...

A race condition vulnerability in the card framework module allows attackers to disrupt system availability through multi-threaded exploitation. This ...

A race condition vulnerability in Huawei's card framework module allows attackers to disrupt system availability through multi-threaded exploitation. ...