🔥 Trending CVEs - Last 90 Days

This CVE describes a Missing Authorization vulnerability in the Hotel Listing WordPress plugin that allows attackers to exploit incorrectly configured...

This CVE describes a missing authorization vulnerability in the Lawyer Directory WordPress plugin that allows attackers to bypass access controls. Att...

This vulnerability allows authenticated attackers to inject malicious HTML content into Project Release functionality in Altium Enterprise Server. Whe...

An incorrect authorization vulnerability in Devolutions Server's virtual gateway component allows attackers to bypass IP deny rules. This affects Devo...

A stored XSS vulnerability in Altium 365 user profile fields allows authenticated attackers to inject malicious scripts that execute when other users ...

A stack-based buffer overflow vulnerability in GNU Wget2's filename sanitization logic allows remote attackers to trigger memory corruption via specia...

This CVE describes an authorization bypass vulnerability in OPEXUS eCASE Audit where authenticated attackers can modify client-side JavaScript or craf...

This XXE vulnerability in Dell Unisphere for PowerMax allows low-privileged remote attackers to access unauthorized data and resources by exploiting i...

This SQL injection vulnerability in the Appointify WordPress plugin allows attackers to execute arbitrary SQL commands through unsanitized user input....

This CVE describes a buffer overflow vulnerability in the ESP-IDF BlueDroid AVRCP stack. An attacker could send specially crafted Bluetooth AVRCP comm...

This CVE describes a cross-site scripting (XSS) vulnerability in Verisay's Aidango software that allows attackers to inject malicious scripts into web...

This is a cross-site scripting (XSS) vulnerability in Titarus software from Verisay Communication and Information Technology Industry and Trade Ltd. C...

This CVE describes a cross-site scripting (XSS) vulnerability in Trizbi software by Verisay Communication and Information Technology Industry and Trad...

This SQL injection vulnerability in the AutomatorWP WordPress plugin allows attackers to execute arbitrary SQL commands on affected databases. All Wor...

This SQL injection vulnerability in the VillaTheme WPBulky WordPress plugin allows attackers to execute arbitrary SQL commands on the database. It aff...

The WP JobHunt plugin for WordPress (used by JobCareer theme) has a missing capability check that allows authenticated attackers with Candidate-level ...

This CVE describes a Missing Authorization vulnerability in the ThemeAtelier IDonatePro WordPress plugin that allows attackers to bypass access contro...

Open OnDemand versions 4.0.8 and earlier have a vulnerability where the Apache proxy passes sensitive headers to origin servers. This allows malicious...

This SQL injection vulnerability in the Stefano Lissa Newsletter WordPress plugin allows attackers to execute arbitrary SQL commands through blind inj...

This SQL injection vulnerability in the AIOSEO Broken Link Checker WordPress plugin allows attackers to execute arbitrary SQL commands on the database...

This vulnerability allows a malicious server to send specially crafted WebSocket frames with extremely large length values, causing undici's ByteParse...

The undici WebSocket client is vulnerable to a denial-of-service attack where a malicious WebSocket server can send a small compressed frame that expa...

CVE-2026-32141 is a stack overflow vulnerability in flatted's parse() function that allows attackers to crash Node.js applications by providing malici...

This CVE describes a Regular Expression Denial of Service (ReDoS) vulnerability in the multipart Python library. Attackers can craft malicious HTTP or...

CVE-2019-25515 is an authentication bypass vulnerability in Jettweb PHP Hazir Haber Sitesi Scripti V3 that allows unauthenticated attackers to gain ad...

This SQL injection vulnerability in the My Sticky Bar WordPress plugin allows unauthenticated attackers to extract data from the database using blind ...

This vulnerability allows unauthenticated attackers to bypass authentication and permission checks in ZITADEL's SCIM API by using URL-encoded path val...

CVE-2019-25478 is a buffer overflow vulnerability in GetGo Download Manager that allows remote attackers to cause denial of service by sending HTTP re...

This authentication bypass vulnerability in eWON industrial routers allows attackers with minimal privileges to retrieve and decrypt all user password...

This vulnerability allows unauthenticated attackers to perform directory traversal attacks on Hisilicon HiIpcam V100R003 devices, exposing sensitive c...

This vulnerability allows any server that a cpp-httplib client connects to (including via redirects or man-in-the-middle attacks) to crash the client ...

CVE-2026-31866 is a denial-of-service vulnerability in flagd feature flag daemon where unauthenticated attackers can send HTTP requests with arbitrari...

CVE-2026-21888 is an out-of-bounds read vulnerability in NanoMQ MQTT Broker's MQTT v5 Variable Byte Integer parsing function. This allows attackers to...

An unauthenticated attacker can cause denial of service on GitLab instances by sending specially crafted GraphQL requests that trigger uncontrolled re...

An unauthenticated attacker can cause denial of service on GitLab instances by sending specially crafted requests to repository archive endpoints. Thi...

This Server-Side Request Forgery (SSRF) vulnerability in Sunbird-Ed portal allows attackers to make the server send unauthorized requests to internal ...

OpenClaw and its voice-call component accept WebSocket connections for media streams before validating authentication, allowing unauthenticated remote...

This SQL injection vulnerability in the JetBooking WordPress plugin allows unauthenticated attackers to manipulate database queries via the 'check_in_...

This vulnerability allows unauthenticated attackers to perform blind SQL injection attacks on WordPress sites using the Simply Schedule Appointments p...

The WP Maps WordPress plugin contains a SQL injection vulnerability that allows unauthenticated attackers to extract sensitive data from the database....

Adobe Commerce (formerly Magento) has an incorrect authorization vulnerability that allows attackers to bypass security controls and view sensitive da...

CVE-2026-21289 is an incorrect authorization vulnerability in Adobe Commerce that allows attackers to bypass security controls and view unauthorized d...

This SQL injection vulnerability in Sequelize allows attackers who control JSON object keys to inject arbitrary SQL queries through unescaped cast typ...

CVE-2026-30837 is a Regular Expression Denial of Service (ReDoS) vulnerability in the Elysia TypeScript framework's URL validation. Attackers can caus...

This vulnerability in Envoy's RBAC filter allows attackers to bypass access control policies by sending duplicate HTTP headers with malicious values. ...

This Server-Side Request Forgery (SSRF) vulnerability in pdfmake allows attackers to make unauthorized requests from the server to internal or externa...

FileBrowser Quantum versions before 1.3.1-beta and 1.2.2-stable have an incomplete fix for CVE-2026-27611, allowing password-protected shares to leak ...

This vulnerability allows attackers to execute arbitrary commands on Liderahenk systems without authentication. It affects all Liderahenk installation...

This cross-site scripting (XSS) vulnerability in Microsoft Office Excel allows attackers to inject malicious scripts into Excel files. When a user ope...

This CVE describes a server-side request forgery (SSRF) vulnerability in Azure IoT Explorer that allows unauthorized attackers to spoof requests over ...