🔥 Trending CVEs - Last 90 Days

This vulnerability allows attackers to execute arbitrary code through PHP object injection by exploiting insecure deserialization in the PhotoMe WordP...

This vulnerability in the BoldThemes Ippsum WordPress theme allows attackers to inject malicious objects through deserialization of untrusted data. It...

This CVE describes a PHP object injection vulnerability in the BoldThemes Nestin WordPress theme. Attackers can exploit insecure deserialization to ex...

This is a critical SQL injection vulnerability in Kolay Software Inc.'s Talentics platform that allows attackers to execute arbitrary SQL commands. It...

This critical vulnerability allows attackers to access and manipulate sensitive data without authentication in Acronis Cyber Protect products. It affe...

OpenClaw's Docker sandbox configuration injection vulnerability allows attackers to escape container isolation and access the host system. This affect...

RustFly 2.0.0 contains a critical command injection vulnerability in its remote UI control mechanism that accepts hex-encoded instructions over UDP po...

RUCKUS Network Director (RND) OVA appliances contain identical hardcoded SSH keys for the postgres user across all deployments, allowing attackers wit...

CVE-2026-26339 is a critical argument injection vulnerability in Hyland Alfresco Transformation Service that allows unauthenticated attackers to execu...

The Saisies plugin for SPIP contains a critical Remote Code Execution vulnerability (CWE-94: Improper Control of Generation of Code) that allows attac...

This vulnerability in BiEticaret CMS allows attackers to bypass authentication and manipulate HTTP responses through Execution After Redirect and Miss...

CVE-2025-15559 is an unauthenticated OS command injection vulnerability in NesterSoft WorkTime server's client generation API. Attackers can execute a...

This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in the Grand Restaurant WordPress theme. Suc...

This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in the WpEvently mage-eventpress WordPress p...

The s2Member WordPress plugin has a critical vulnerability that allows unauthenticated attackers to change any user's password, including administrato...

The Slider Future WordPress plugin allows unauthenticated attackers to upload arbitrary files due to missing file type validation. This vulnerability ...

The Prodigy Commerce WordPress plugin has a Local File Inclusion vulnerability that allows unauthenticated attackers to read arbitrary files or execut...

The Buyent Classified plugin for WordPress allows unauthenticated attackers to register accounts with administrator privileges by manipulating the use...

This vulnerability allows unauthenticated attackers to register as administrators on WordPress sites using the Lizza LMS Pro plugin. All WordPress sit...

The Clasifico Listing WordPress plugin allows unauthenticated attackers to register accounts with administrator privileges by manipulating the 'listin...

This CVE describes a remote command injection vulnerability in SECCN Dingcheng G10 software version 3.1.0.181203. Attackers can execute arbitrary oper...

CVE-2026-27180 allows unauthenticated attackers to execute arbitrary code on MajorDoMo systems by poisoning the update URL. Attackers can deploy websh...

CVE-2026-27174 allows unauthenticated attackers to execute arbitrary PHP code on MajorDoMo home automation systems via the admin panel's PHP console. ...

MailCarrier 2.51 contains a critical buffer overflow vulnerability in its POP3 service that allows remote attackers to execute arbitrary code by sendi...

CVE-2019-25360 is a critical buffer overflow vulnerability in Aida64 Engineer's CSV logging configuration that allows remote code execution. Attackers...

CVE-2019-25362 is a critical buffer overflow vulnerability in WMV to AVI MPEG DVD WMV Convertor 4.6.1217 that allows remote attackers to execute arbit...

CVE-2025-70152 is an unauthenticated SQL injection vulnerability in the Community Project Scholars Tracking System 1.0 that allows attackers to execut...

CVE-2025-70150 is a critical missing authentication vulnerability in CodeAstro Membership Management System 1.0 that allows unauthenticated attackers ...

CodeAstro Membership Management System 1.0 contains a SQL injection vulnerability in the print_membership_card.php file via the ID parameter. This all...

CVE-2025-65791 is a critical command injection vulnerability in ZoneMinder's image.php component that allows attackers to execute arbitrary commands o...

This vulnerability allows remote attackers to gain root access to UTT HiPER 810 / nv810v4 routers via telnet using insecure default credentials. Attac...

An unauthenticated stack-based buffer overflow vulnerability in Grandstream GXP1600 series VoIP phones allows remote attackers to execute arbitrary co...

The YayMail WordPress plugin has a privilege escalation vulnerability that allows authenticated attackers with Shop Manager access or higher to modify...

This vulnerability allows unauthenticated attackers to remotely change the password recovery email address via an exposed API endpoint. This affects H...

CVE-2026-23647 allows attackers to remotely authenticate to Glory RBG-100 recycler systems using hard-coded Linux credentials, including administrativ...

CVE-2026-2439 is a session ID generation vulnerability in Concierge::Sessions for Perl that allows attackers to guess session identifiers and gain una...

This vulnerability allows remote attackers to upload arbitrary files without restrictions to EFM iptime A6004MX routers via the commit_vpncli_file_upl...

CVE-2026-26369 is a privilege escalation vulnerability in eNet SMART HOME server where low-privileged users can elevate themselves to administrative p...

eNet SMART HOME server versions 2.2.1 and 2.3.1 ship with active default credentials (user:user, admin:admin) that don't require password changes duri...

This vulnerability allows unauthenticated attackers to bypass authorization and install arbitrary WordPress plugins via reverse DNS spoofing. It affec...

The Truelysell Core WordPress plugin allows unauthenticated attackers to create administrator accounts due to insufficient validation of the user_role...

The midi-Synth WordPress plugin allows unauthenticated attackers to upload arbitrary files due to missing validation in the 'export' AJAX action. This...

Known social publishing platform versions 1.6.2 and earlier contain a critical authentication bypass vulnerability where password reset tokens are exp...

Calero VeraSMART versions before 2022 R1 expose an unauthenticated .NET Remoting service on port 8001, allowing remote attackers to read/write arbitra...

This vulnerability allows attackers to achieve remote code execution on Calero VeraSMART servers by exploiting static ASP.NET machine keys. Attackers ...

This critical vulnerability in Milvus vector database allows unauthenticated attackers to bypass authentication and execute arbitrary operations. Atta...

CVE-2019-25337 is a username enumeration vulnerability in ownCloud that allows remote attackers to discover valid user accounts by sending crafted req...

CVE-2019-25327 is a critical buffer overflow vulnerability in Prime95 version 29.8 build 6 that allows remote attackers to execute arbitrary code by c...

CVE-2019-25319 is a critical stack overflow vulnerability in Domain Quester Pro 6.02 that allows remote attackers to execute arbitrary code by exploit...

CVE-2019-25321 is a critical stack overflow vulnerability in FTP Navigator 8.03 that allows attackers to execute arbitrary code by exploiting Structur...