🔥 Trending CVEs - Last 90 Days

Airleader Master versions 6.381 and prior have unrestricted file upload functionality on multiple webpages running with maximum privileges. This allow...

This vulnerability in Inspektor Gadget allows malicious containers to inject ANSI escape sequences into terminal output, potentially enabling terminal...

This vulnerability in FrankenPHP allows an attacker to manipulate Unicode characters in request paths to cause the server to execute unintended PHP fi...

CVE-2025-70314 is a critical buffer overflow vulnerability in webfsd 1.21 that allows remote attackers to execute arbitrary code by sending a speciall...

CVE-2026-26218 allows unauthenticated attackers to gain administrative control of newbee-mall applications by using predictable default passwords on p...

CVE-2025-70981 is a critical SQL injection vulnerability in CordysCRM 1.4.1 that allows attackers to execute arbitrary SQL commands through the depart...

This vulnerability allows attackers to upload malicious files to NTN Smart Panel systems, bypassing access controls. Attackers can execute arbitrary c...

This SQL injection vulnerability in Farktor Software's E-Commerce Package allows attackers to execute arbitrary SQL commands through the application. ...

This critical vulnerability in the AdForest WordPress theme allows unauthenticated attackers to bypass authentication and log in as any user, includin...

This vulnerability in the PF-50 1.2 keyfob of the PGST PG107 Alarm System allows attackers to perform code replay attacks, enabling unauthorized acces...

CVE-2026-26021 is a prototype pollution vulnerability in the npm package set-in that allows attackers to modify Object.prototype through crafted array...

A buffer overflow vulnerability in PJSIP's PJNATH ICE Session component allows attackers to execute arbitrary code or cause denial of service by sendi...

CVE-2020-37186 is a critical remote code execution vulnerability in Chevereto image hosting software. Attackers can inject malicious PHP code during d...

CVE-2020-37181 is a critical stack overflow vulnerability in Torrent FLV Converter 1.51 Build 117 that allows attackers to execute arbitrary code by e...

CVE-2020-37183 is a critical stack overflow vulnerability in Allok RM RMVB to AVI MPEG DVD Converter that allows remote code execution. Attackers can ...

CVE-2020-37176 is a critical stack overflow vulnerability in Torrent 3GP Converter 1.51 that allows remote attackers to execute arbitrary code by expl...

CVE-2020-37153 allows attackers to execute arbitrary system commands and perform cross-site scripting attacks in ASTPP VoIP billing software. This can...

This vulnerability in DiskCache (python-diskcache) allows arbitrary code execution when an attacker with write access to the cache directory injects m...

This CVE describes a stack buffer overflow vulnerability in OpenSatKit 2.2.1's file management component. Attackers can exploit this by providing long...

CVE-2025-69874 is a critical path traversal vulnerability in nanotar that allows attackers to write arbitrary files outside the intended extraction di...

This vulnerability allows unauthenticated attackers to remotely change device passwords via an unprotected API endpoint. It affects systems running vu...

METIS WIC devices with firmware versions up to oscore 2.1.234-r18 expose an unauthenticated web-based shell at the /console endpoint. This allows remo...

This vulnerability allows attackers to insert sensitive information into externally accessible files or directories in Logo j-Platform due to incorrec...

This CVE describes a link following vulnerability in QNAP operating systems that allows remote attackers to traverse the file system to unintended loc...

This vulnerability allows unauthenticated attackers to access critical functions in Dinosoft ERP without proper authentication or access controls. Att...

This vulnerability allows unauthenticated attackers to upload arbitrary PHP files to WordPress sites using the WPvivid Backup & Migration plugin, lead...

CVE-2026-25993 is a second-order SQL injection vulnerability in EverShop eCommerce platform that allows attackers to execute arbitrary SQL commands. A...

This critical vulnerability in Azure SDK allows remote code execution through deserialization of untrusted data. Attackers can exploit this over a net...

CASL Ability versions 2.4.0 through 6.7.4 contain a prototype pollution vulnerability that allows attackers to modify JavaScript object prototypes, po...

This authentication bypass vulnerability in Apache Druid allows attackers to gain unauthorized access by exploiting LDAP anonymous bind configurations...

This Server-Side Request Forgery (SSRF) vulnerability in Teknolist Okulistik allows attackers to make unauthorized requests from the vulnerable server...

Agentflow software by Flowring has a Missing Authentication vulnerability (CWE-288) that allows unauthenticated remote attackers to directly access da...

Agentflow software from Flowring contains an authentication bypass vulnerability that allows unauthenticated remote attackers to obtain arbitrary user...

An authentication bypass vulnerability in FUXA web-based SCADA/HMI software allows unauthenticated remote attackers to execute arbitrary code on the s...

An authentication bypass vulnerability in FUXA web-based SCADA/HMI software allows unauthenticated remote attackers to gain administrative access via ...

An insecure default configuration in FUXA web-based SCADA/HMI software allows unauthenticated remote attackers to gain administrative access and execu...

CVE-2026-25895 is a path traversal vulnerability in FUXA web-based SCADA/HMI software that allows unauthenticated remote attackers to write arbitrary ...

PlaciPy version 1.0.0 passes user-controlled query parameters directly into DynamoDB query/filter construction without validation or sanitization. Thi...

This vulnerability allows attackers to bypass authorization in PlaciPy placement management systems by manipulating JWT claims. Attackers can escalate...

This vulnerability in PlaciPy version 1.0.0 allows attackers to execute code evaluation outside of intended assessment windows due to missing lifecycl...

This SQL injection vulnerability in Xpoda Studio allows attackers to execute arbitrary SQL commands on the database. All users running Xpoda Studio ve...

This critical vulnerability allows unauthenticated remote attackers to trigger a stack buffer overflow by sending oversized cookie values. Successful ...

This vulnerability allows unauthenticated remote attackers to decrypt stored user credentials by accessing configuration files containing AES-ECB encr...

An unauthenticated remote attacker can crash or potentially execute arbitrary code on lighttpd web servers by sending a specially crafted HTTP request...

The jsonpath package is vulnerable to arbitrary code execution via malicious JSON Path expressions. Attackers can inject JavaScript code that gets exe...

This vulnerability in Yokogawa's FAST/TOOLS allows web servers to be accessed directly by IP address, making them susceptible to automated scanning an...

The OPTIONS method vulnerability in Yokogawa FAST/TOOLS web servers exposes HTTP method information that could aid attackers in reconnaissance and sub...

The JAY Login & Register WordPress plugin allows unauthenticated attackers to update arbitrary user metadata through a vulnerable AJAX function, enabl...

This vulnerability allows unauthenticated attackers to reset passwords for any user account by exploiting a flawed OTP verification process in the pas...

CVE-2020-37162 is a critical buffer overflow vulnerability in Wedding Slideshow Studio 1.36 that allows remote attackers to execute arbitrary code by ...