🔥 Trending CVEs - Last 30 Days

Agentflow software by Flowring has a Missing Authentication vulnerability (CWE-288) that allows unauthenticated remote attackers to directly access da...

Agentflow software from Flowring contains an authentication bypass vulnerability that allows unauthenticated remote attackers to obtain arbitrary user...

An authentication bypass vulnerability in FUXA web-based SCADA/HMI software allows unauthenticated remote attackers to execute arbitrary code on the s...

An authentication bypass vulnerability in FUXA web-based SCADA/HMI software allows unauthenticated remote attackers to gain administrative access via ...

An insecure default configuration in FUXA web-based SCADA/HMI software allows unauthenticated remote attackers to gain administrative access and execu...

CVE-2026-25895 is a path traversal vulnerability in FUXA web-based SCADA/HMI software that allows unauthenticated remote attackers to write arbitrary ...

PlaciPy version 1.0.0 passes user-controlled query parameters directly into DynamoDB query/filter construction without validation or sanitization. Thi...

This vulnerability allows attackers to bypass authorization in PlaciPy placement management systems by manipulating JWT claims. Attackers can escalate...

This vulnerability in PlaciPy version 1.0.0 allows attackers to execute code evaluation outside of intended assessment windows due to missing lifecycl...

This SQL injection vulnerability in Xpoda Studio allows attackers to execute arbitrary SQL commands on the database. All users running Xpoda Studio ve...

This critical vulnerability allows unauthenticated remote attackers to trigger a stack buffer overflow by sending oversized cookie values. Successful ...

This vulnerability allows unauthenticated remote attackers to decrypt stored user credentials by accessing configuration files containing AES-ECB encr...

An unauthenticated remote attacker can crash or potentially execute arbitrary code on lighttpd web servers by sending a specially crafted HTTP request...

The jsonpath package is vulnerable to arbitrary code execution via malicious JSON Path expressions. Attackers can inject JavaScript code that gets exe...

This vulnerability in Yokogawa's FAST/TOOLS allows web servers to be accessed directly by IP address, making them susceptible to automated scanning an...

The OPTIONS method vulnerability in Yokogawa FAST/TOOLS web servers exposes HTTP method information that could aid attackers in reconnaissance and sub...

The JAY Login & Register WordPress plugin allows unauthenticated attackers to update arbitrary user metadata through a vulnerable AJAX function, enabl...

This vulnerability allows unauthenticated attackers to reset passwords for any user account by exploiting a flawed OTP verification process in the pas...

CVE-2020-37162 is a critical buffer overflow vulnerability in Wedding Slideshow Studio 1.36 that allows remote attackers to execute arbitrary code by ...

Wedding Slideshow Studio 1.36 contains a buffer overflow vulnerability in the registration name field that allows attackers to execute arbitrary code....

3DP-MANAGER versions 2.0.1 and earlier automatically create an administrative account with default credentials (admin/admin) on first initialization. ...

This is a critical SQL injection vulnerability in Payload CMS versions before 3.73.0 that allows unauthenticated attackers to extract sensitive data a...

BeyondTrust Remote Support and older Privileged Remote Access versions contain a critical pre-authentication remote code execution vulnerability. Unau...

PlaciPy placement management system version 1.0.0 uses a hard-coded default password for all newly created student accounts, enabling attackers to log...

This vulnerability allows attackers to modify files in the .git directory of Gogs installations, potentially leading to remote command execution. It a...

A critical stack-based buffer overflow vulnerability in IP-COM W30AP access points allows remote attackers to execute arbitrary code or crash the devi...

An unauthenticated SQL injection vulnerability in Fortinet FortiClientEMS allows attackers to execute arbitrary SQL commands via crafted HTTP requests...

The WP Duplicate plugin for WordPress has a critical vulnerability that allows authenticated attackers with subscriber-level access to upload arbitrar...

This critical vulnerability in Azure Front Door allows attackers to bypass authentication and authorization controls, potentially gaining unauthorized...

CVE-2020-37125 is a critical remote code execution vulnerability in Edimax EW-7438RPn-v3 Mini range extenders that allows unauthenticated attackers to...

This CVE describes an authentication bypass vulnerability in Huawei device authentication modules that allows attackers to bypass authentication mecha...

This critical vulnerability in Pebble Prism Ultra v2.9.2 allows attackers within Bluetooth range to execute arbitrary commands, intercept data, and hi...

This vulnerability in asbplayer v1.13.0 allows attackers to upload malicious subtitle files that can execute arbitrary code on the system. Users of as...

OpenS100 (S-100 viewer reference implementation) contains a remote code execution vulnerability where untrusted portrayal catalogues can execute arbit...

This vulnerability allows authenticated low-privileged users in SAP NetWeaver ABAP systems to execute unauthorized background Remote Function Calls, b...

A URL encoding vulnerability in Yokogawa's FAST/TOOLS industrial control system allows attackers to manipulate web pages or execute malicious scripts....

This vulnerability allows unauthenticated attackers to impersonate legitimate charging stations by connecting to WebSocket endpoints without proper au...

This CVE describes a critical authentication bypass vulnerability in WebSocket endpoints used for OCPP (Open Charge Point Protocol) communication. Att...

This vulnerability allows unauthenticated attackers to impersonate legitimate charging stations by connecting to WebSocket endpoints without proper au...

This vulnerability in Zephyr RTOS's DNS resolver allows an out-of-bounds write when processing malicious DNS responses. Attackers can exploit this to ...

CVE-2026-26980 is an SQL injection vulnerability in Ghost CMS that allows unauthenticated attackers to read arbitrary data from the database. This aff...

This is a reflected cross-site scripting (XSS) vulnerability in Turboard software that allows attackers to inject malicious scripts into web pages. Us...

Fiber web framework versions before 2.52.11 on Go versions prior to 1.24 may generate predictable UUIDs when crypto/rand fails to obtain secure random...

Keylime versions 7.12.0 and later have a critical authentication bypass vulnerability where the registrar fails to enforce client-side TLS certificate...

An unauthenticated reflected XSS vulnerability in SiYuan's dynamic icon API allows attackers to inject malicious JavaScript via crafted SVG images. Wh...

Ghostfolio versions before 2.245.0 contain a server-side request forgery (SSRF) vulnerability in the manual asset import feature. Attackers can exploi...

A stored cross-site scripting (XSS) vulnerability in AliasVault Web Client allows attackers to inject malicious JavaScript into emails sent to any Ali...

This is a stored cross-site scripting (XSS) vulnerability in Bugsink error tracking software. Unauthenticated attackers who can submit error events to...

This vulnerability in Statmatic CMS allows attackers to hijack password reset tokens and take over user accounts. Attackers need a valid email address...

CVE-2026-25896 is a vulnerability in fast-xml-parser where a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement...