🔥 Trending CVEs - Last 90 Days

CVE-2026-25885 is an authentication bypass vulnerability in PolarLearn's WebSocket group chat functionality. Unauthenticated attackers can subscribe t...

This vulnerability in Hollo microblogging software exposes private direct messages and followers-only posts through the ActivityPub outbox endpoint wi...

PlaciPy placement management system logs sensitive data to console output without redaction in version 1.0.0. This allows attackers with access to con...

This vulnerability in Axios allows attackers to cause denial of service by providing malicious configuration objects containing __proto__ as an own pr...

This vulnerability in Sliver C2 framework allows unauthenticated attackers to create unlimited DNS sessions without OTP validation, leading to memory ...

FileRise versions before 3.3.0 have an unauthenticated file read vulnerability where anyone can access files in the /uploads directory without authent...

CVE-2026-2236 is a SQL injection vulnerability in HGiga's C&Cm@il software that allows unauthenticated remote attackers to execute arbitrary SQL comma...

This vulnerability allows unauthenticated remote attackers to bypass authentication by exploiting insufficient URI validation. Attackers can use path ...

Yokogawa FAST/TOOLS industrial control system software uses weak cryptographic algorithms, potentially allowing attackers to decrypt web server commun...

This vulnerability in Yokogawa's FAST/TOOLS software allows attackers to potentially decrypt communications by exploiting support for outdated SSL/TLS...

A path traversal vulnerability in Yokogawa's FAST/TOOLS software allows attackers to bypass URL validation and access arbitrary files on the web serve...

DataHub's LDAP ingestion source is vulnerable to TLS downgrade attacks, allowing man-in-the-middle attackers to intercept and potentially modify LDAP ...

AdonisJS multipart file upload handler has a memory exhaustion vulnerability that allows attackers to cause denial of service by uploading specially c...

A critical IDOR vulnerability in Spree Commerce allows guest users to manipulate address ID parameters during checkout, bypassing ownership validation...

This vulnerability in NiceGUI allows attackers to perform path traversal attacks by uploading files with malicious filenames containing '../' sequence...

The MCP Salesforce Connector prior to version 0.1.10 allows arbitrary attribute access that can lead to disclosure of Salesforce authentication tokens...

CVE-2026-25724 is a symbolic link bypass vulnerability in Claude Code that allows reading files explicitly denied in settings.json. Attackers could ac...

MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in the barcode decoding functionality. When processing specially crafted inpu...

This vulnerability allows unauthorized access to forum post custom fields through JSON output, bypassing access control settings. It affects EasyDiscu...

This vulnerability allows unauthenticated attackers to access the /wizard_reboot.asp page on Edimax EW-7438RPn-v3 Mini range extenders, which disclose...

This vulnerability in the Bytes library allows integer overflow in the BytesMut::reserve function, which can cause memory corruption and out-of-bounds...

CVE-2026-25575 is a path traversal vulnerability in NavigaTUM's propose_edits endpoint that allows unauthenticated attackers to overwrite files in wri...

This vulnerability in the jsonwebtoken Rust library allows attackers to bypass time-based security restrictions like 'Not Before' (nbf) and 'Expiratio...

This vulnerability in the Terraform/OpenTofu Proxmox provider allows attackers to escape restricted directories via path traversal (../) in SSH config...

Apollo Server's startStandaloneServer function is vulnerable to denial-of-service attacks when attackers send GraphQL requests with specially crafted ...

CVE-2025-71031 is a denial-of-service vulnerability in Water-Melon Melon's HTTP component that lacks request header length limits. Attackers can crash...

This vulnerability in apko allows attackers who control or compromise APK repositories to cause resource exhaustion on build hosts. By serving a small...

A path traversal vulnerability in apko's dirFS filesystem abstraction allows attackers to create directories or symlinks outside the intended installa...

An unauthenticated remote attacker can cause Cisco TelePresence and RoomOS devices to reload by sending crafted text, resulting in denial of service. ...

An unauthenticated API endpoint in Apache Answer exposes full revision history for deleted content, allowing unauthorized users to retrieve sensitive ...

The Infility Global WordPress plugin contains an unauthenticated SQL injection vulnerability in its 'infility_get_data' API endpoint. Attackers can ex...

The SEO Flow by LupsOnline WordPress plugin has an authorization bypass vulnerability that allows unauthenticated attackers to create, modify, and del...

Fastify versions before 5.7.2 have a validation bypass vulnerability where attackers can circumvent request body validation by appending a tab charact...

CVE-2020-37097 allows unauthenticated attackers to access the wlencrypt_wiz.asp file on Edimax EW-7438RPn range extenders, exposing WiFi network confi...

CVE-2026-25614 is a PHP object injection vulnerability in Blesta billing software that allows attackers to execute arbitrary code by deserializing unt...

CVE-2025-64438 is a remotely triggerable denial-of-service vulnerability in Fast DDS that allows unauthenticated attackers to cause out-of-memory cond...

A heap buffer overflow vulnerability in Fast DDS allows remote attackers to terminate the Fast-DDS process by sending specially crafted SPDP packets w...

This vulnerability in Fast DDS allows remote attackers to cause denial-of-service by sending specially crafted SPDP packets with manipulated DATA Subm...

Fast DDS versions prior to 3.4.1, 3.3.1, and 2.6.11 contain a vulnerability where malicious ParticipantGenericMessage packets can trigger excessive me...

This SQL injection vulnerability in PEAR's apidoc queue insertion allows attackers to manipulate database queries by controlling filename values. It a...

This vulnerability in PEAR (PHP Extension and Application Repository) allows attackers to guess verification tokens due to predictable hashes, potenti...

This vulnerability in Fast DDS allows remote attackers to cause a denial-of-service (DoS) by sending specially crafted SPDP packets with modified DATA...

CVE-2026-24773 is an Insecure Direct Object Reference (IDOR) vulnerability in Open eClass (formerly GUnet eClass) that allows unauthenticated attacker...

This CVE describes an authentication bypass vulnerability in chetans9 core-php-admin-panel where the authentication validation script sends a redirect...

This vulnerability in Fast DDS allows remote attackers to cause a denial of service by triggering an out-of-memory condition. When security mode is en...

A vulnerability in Samsung Exynos processors and modems allows denial of service attacks through improper handling of NAS Registration messages. Attac...

RustFS versions alpha.13 through alpha.81 log sensitive AWS credentials (access keys, secret keys, session tokens) in plaintext at INFO level. This al...

This vulnerability allows attackers to bypass IP-based access controls in RustFS by spoofing their IP address using HTTP headers. Any client that can ...

This CVE describes a PHP Local File Inclusion vulnerability in the Unicamp WordPress theme. Attackers can include arbitrary local files through improp...

This vulnerability in Django allows remote attackers to cause denial-of-service by sending crafted inputs with many unmatched HTML end tags to specifi...