🔥 Trending CVEs - Last 90 Days

An unauthenticated attacker can cause denial of service in GitLab by sending specially crafted files to the container registry event endpoint. This af...

OpenEMR versions before 8.0.0 have a session expiration bypass vulnerability. Attackers can send a specific parameter (skip_timeout_reset=1) to preven...

A firewall misconfiguration allows external attackers to connect to internal services through WAN port 5222, bypassing intended network segmentation. ...

CVE-2026-27730 is a Server-Side Request Forgery (SSRF) vulnerability in esm.sh's fetch route that allows attackers to bypass hostname-based validation...

The Geo Mashup WordPress plugin contains an SQL injection vulnerability in the 'sort' parameter that allows unauthenticated attackers to execute arbit...

The WPGSI: Spreadsheet Integration plugin for WordPress has critical REST API endpoints that lack proper authentication and authorization checks. Unau...

tfplan2md versions before 1.26.1 fail to properly mask sensitive values in Terraform plan reports, exposing secrets like API keys, passwords, and conf...

This vulnerability in Parse Dashboard's AI Agent API endpoint allows unauthenticated remote attackers to perform arbitrary read and write operations o...

A bug in Wasmtime's async component model implementation causes a panic when call_async futures are dropped before completion and then called again on...

This vulnerability in Wasmtime's WASI HTTP implementation causes denial of service when excessive HTTP headers are processed. The runtime panics inste...

A path traversal vulnerability in Fiber's static middleware on Windows allows remote attackers to bypass sanitization and read arbitrary files from th...

CVE-2026-25899 is a memory exhaustion vulnerability in GoFiber v3 web framework where a specially crafted 10-character cookie value triggers unvalidat...

Piwigo versions 14.x have a weak secret key generation vulnerability during installation. Attackers can brute-force the secret key in about one hour, ...

This vulnerability in Binardat 10G08-0800GSM network switches allows attackers to perform brute-force attacks against login credentials due to missing...

Binardat 10G08-0800GSM network switches expose administrative passwords in plaintext within the web interface and HTTP responses, allowing attackers t...

This vulnerability in Binardat 10G08-0800GSM network switches allows attackers to decrypt protected data due to the use of RC4 encryption with a hard-...

CVE-2026-27584 is an authentication bypass vulnerability in ActualBudget server that allows unauthenticated attackers to access sensitive bank account...

This vulnerability allows attackers to read uninitialized memory in Firefox and Firefox Focus for Android, potentially exposing sensitive information....

This vulnerability affects IEC 60870-5-104 implementations when bi-directional functionality is configured. Attackers can send specially crafted inval...

ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 contain a memory allocation vulnerability in SVG processing. A malicious SVG file with a crafted ...

A denial-of-service vulnerability in free5GC SMF allows attackers to crash the Session Management Function by sending malformed PFCP SessionReportRequ...

ImageMagick versions before 7.1.2-15 and 6.9.13-40 have a heap information disclosure vulnerability in their PSD format handler. When processing speci...

This vulnerability in ImageMagick allows attackers to cause denial of service by exploiting an infinite loop in PCD file processing. When ImageMagick ...

A heap-based buffer overflow vulnerability in free5GC go-upf versions before 1.2.8 allows remote attackers to cause denial of service by sending speci...

This vulnerability in Valkey allows attackers with access to the clusterbus port to send specially crafted packets that cause out-of-bounds reads, pot...

CVE-2019-25461 is an unauthenticated SQL injection vulnerability in Web Ofisi Platinum E-Ticaret v5 e-commerce software. Attackers can inject maliciou...

Web Ofisi Firma v13 contains an unauthenticated SQL injection vulnerability in the 'oz' parameter. Attackers can inject malicious SQL payloads via GET...

Web Ofisi E-Ticaret v3 contains an unauthenticated SQL injection vulnerability in the 'a' parameter that allows attackers to execute arbitrary SQL que...

Dolibarr ERP/CRM 10.0.1 contains SQL injection vulnerabilities in card.php endpoints that allow authenticated attackers to inject malicious SQL throug...

GetSimple CMS has a path traversal vulnerability in its Uploaded Files feature that allows attackers to read arbitrary files on the server. This affec...

This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on LabCollector 5.423 by injecting malicious code through login ...

CVE-2019-25432 is an SQL injection vulnerability in Part-DB's authentication system that allows unauthenticated attackers to bypass login by injecting...

openITCOCKPIT Community Edition 5.3.1 and earlier contains an unsafe PHP deserialization vulnerability in changelog processing. While no current explo...

CVE-2026-24891 is an unsafe deserialization vulnerability in openITCOCKPIT monitoring tool that allows PHP Object Injection when untrusted systems can...

This vulnerability exposes user credentials through unencrypted HTTP Basic Authentication in an embedded web interface. Attackers on the same network ...

This vulnerability allows attackers to bypass authentication and spoof identities in the WooODT Lite WordPress plugin. It affects all WooCommerce site...

This CVE describes a PHP Local File Inclusion vulnerability in the Simple Retail Menus WordPress plugin. Attackers can include arbitrary local files f...

This CVE describes a missing authorization vulnerability in the Jthemes Exzo WordPress theme that allows attackers to bypass access controls. It affec...

This CVE describes a PHP Local File Inclusion vulnerability in the WP Shop WordPress plugin. Attackers can include arbitrary local files through impro...

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affec...

This CVE describes a missing authorization vulnerability in the ModelTheme Framework WordPress plugin that allows attackers to bypass access controls....

This CVE describes a missing authorization vulnerability in the GhostPool Gauge WordPress theme that allows attackers to bypass access controls. The v...

This CVE describes a Missing Authorization vulnerability in the NextMove Lite WordPress plugin that allows attackers to bypass access controls. The vu...

This CVE describes a Missing Authorization vulnerability in the YayCommerce YayCurrency WordPress plugin that allows attackers to delete arbitrary con...

OpenClaw's Feishu extension had a path traversal vulnerability that allowed reading arbitrary local files by supplying attacker-controlled paths. This...

OpenClaw's SSRF protection could be bypassed using IPv4-mapped IPv6 addresses, allowing attackers to access restricted internal resources like localho...

OpenClaw versions 2026.2.13 and below with the @openclaw/voice-call plugin allow unauthenticated attackers to forge Telnyx webhook events when telnyx....

This vulnerability allows attackers to bypass authentication in OpenClaw's BlueBubbles iMessage plugin by sending webhook requests from localhost addr...

A logic flaw in httpsig-hyper versions before 0.0.23 causes digest verification to always succeed regardless of actual digest values, allowing message...

A cryptographic flaw in go-ethereum's ECIES implementation allows attackers to extract bits of the p2p node key. This affects all Geth nodes running v...