🔥 Trending CVEs - Last 90 Days

This vulnerability in Windows GDI+ allows attackers to read memory beyond intended boundaries, potentially leaking sensitive information. It affects W...

CVE-2026-23662 is a missing authentication vulnerability in Azure IoT Explorer that allows unauthorized attackers to access sensitive information over...

An uninitialized pointer dereference vulnerability in ImageMagick's JBIG decoder allows attackers to cause denial of service or potentially execute ar...

FreshRSS versions before 1.28.0 contain an authentication bypass vulnerability in master token logic. When anonymous viewing is enabled, attackers can...

This vulnerability in nr modem allows remote attackers to cause a system crash through improper input validation, leading to denial of service without...

This vulnerability in nr modem software allows remote attackers to cause a system crash through improper input validation, leading to denial of servic...

This vulnerability in nr modem allows remote attackers to cause a system crash through improper input validation, leading to denial of service. It aff...

An unauthenticated remote attacker can steal valid session tokens from UBR devices because tokens are exposed in plaintext within URL parameters of th...

This vulnerability in nr modem allows remote attackers to cause a system crash through improper input validation, leading to denial of service without...

Ghost CMS versions 5.101.6 through 6.19.2 have incomplete CSRF protections in the session verification endpoint, allowing attackers to use one-time co...

A vulnerability in express-rate-limit middleware versions 8.0.0 through 8.3.0 causes all IPv4 clients to share the same rate-limit bucket when using I...

The JS Archive List WordPress plugin is vulnerable to PHP object injection through the 'included' shortcode attribute. Authenticated attackers with Co...

This SQL injection vulnerability in the WordPress ZIP Code Based Content Protection plugin allows unauthenticated attackers to inject malicious SQL qu...

This vulnerability allows attackers to bypass route-based middleware protections in @hono/node-server applications by using URL-encoded slashes (%2F) ...

This vulnerability allows attackers to bypass rate limiting on WebSocket authentication requests, enabling denial-of-service attacks that disrupt legi...

A denial of service vulnerability in CoreDNS's loop detection plugin allows attackers to crash DNS servers by sending specially crafted DNS queries. T...

An absolute path traversal vulnerability in Navtor NavBox allows unauthenticated remote attackers to read arbitrary files from the filesystem. This af...

Mongoose Web Server 6.9 contains a denial of service vulnerability where remote attackers can crash the service by establishing multiple socket connec...

Easyndexer 1.0 contains an unauthenticated arbitrary file download vulnerability that allows attackers to retrieve sensitive system files by manipulat...

AMPPS 2.7 contains a denial of service vulnerability where remote attackers can crash the service by sending malformed data to the default HTTP port. ...

SVGO versions 2.1.0-2.8.0, 3.0.0-3.3.2, and before 4.0.1 are vulnerable to XML entity expansion attacks. Attackers can craft small malicious SVG files...

This CVE describes a path traversal vulnerability in Talishar, a fan-made Flesh and Blood project, where the ParseGamestate.php component can be acces...

This CVE describes a WebSocket API vulnerability where missing rate limiting on authentication requests allows attackers to conduct denial-of-service ...

OpenClaw versions before 2026.2.15 use deprecated SHA-1 hashing for sandbox identifier cache keys, making them vulnerable to collision attacks. Attack...

OpenClaw versions before 2026.2.14 have a webhook routing vulnerability in the Google Chat monitor component that allows attackers to misroute webhook...

OpenClaw versions before 2026.2.13 contain a path traversal vulnerability in browser control API endpoints that handle trace and download files. Attac...

OpenClaw versions before 2026.2.2 fail to validate Telegram webhook secrets, allowing unauthenticated attackers to send forged Telegram updates. This ...

CVE-2026-28789 is an unauthenticated denial-of-service vulnerability in OliveTin's OAuth2 login flow. Attackers can crash the service by sending concu...

CVE-2026-28342 is an unauthenticated denial-of-service vulnerability in OliveTin's PasswordHash API endpoint. Attackers can send concurrent password h...

This vulnerability allows remote unauthenticated attackers to bypass Traefik's protection mechanisms and remove critical X-Forwarded headers that iden...

This vulnerability allows remote unauthenticated attackers to cause denial of service in Traefik by exploiting a TLS handshake flaw. Attackers can sen...

This vulnerability in Eclipse Jetty's GzipHandler causes a memory leak when processing compressed HTTP requests without compressed responses. Attacker...

This vulnerability in Hono web framework allows attackers to bypass route-based middleware protections (like authentication) for static files by using...

This vulnerability in cpp-httplib allows attackers to bypass configured payload size limits by sending compressed HTTP requests. When using streaming ...

An argument injection vulnerability in bird-lg-go's traceroute module allows remote attackers to inject arbitrary command-line flags via the q paramet...

This SQL injection vulnerability in the JS Help Desk WordPress plugin allows unauthenticated attackers to inject malicious SQL queries via a cookie pa...

This vulnerability allows unauthenticated attackers to cause CPU exhaustion denial-of-service by sending specially crafted JWE tokens with extremely h...

This vulnerability allows unauthenticated attackers to download arbitrary files from Weintek cMT-3072XH2 HMI devices via the download_wb.cgi component...

This vulnerability allows unauthenticated attackers to bypass signature verification in PKCS7 objects with Authenticated Attributes in AWS-LC. It affe...

A certificate validation bypass vulnerability in AWS-LC's PKCS7_verify() function allows unauthenticated attackers to bypass certificate chain verific...

This vulnerability in Koa.js allows attackers to inject malicious hostnames via specially crafted HTTP Host headers containing '@' symbols. Applicatio...

This vulnerability in minimatch allows attackers to cause denial of service by crafting glob patterns with multiple non-adjacent ** segments, causing ...

The WP Responsive Images WordPress plugin contains a path traversal vulnerability in the 'src' parameter that allows unauthenticated attackers to read...

This vulnerability in pypdf allows attackers to craft malicious PDF files that cause denial of service by exhausting system RAM when the XFA property ...

CVE-2026-27831 is a heap-based out-of-bounds read vulnerability in rldns DNS server version 2.3 that can cause denial of service. The vulnerability al...

This vulnerability allows authenticated users to achieve remote code execution by uploading a ZIP file containing a file with shell metacharacters in ...

TinyWeb versions before 2.02 are vulnerable to Slowloris denial-of-service attacks where attackers can exhaust server resources by opening many connec...

This is a use-after-free vulnerability in FreeRDP's X11 client implementation where a freed pointer is dereferenced during cleanup. An attacker could ...

This vulnerability in FreeRDP allows a malicious RDP server to trigger an out-of-bounds read by sending an execResult value of 7 or greater. This coul...

An unauthenticated attacker can cause Denial of Service on GitLab instances by sending specially crafted requests to the Jira events endpoint. This af...