🔥 Trending CVEs - Last 90 Days

Wedding Slideshow Studio 1.36 contains a buffer overflow vulnerability in the registration name field that allows attackers to execute arbitrary code....

3DP-MANAGER versions 2.0.1 and earlier automatically create an administrative account with default credentials (admin/admin) on first initialization. ...

This is a critical SQL injection vulnerability in Payload CMS versions before 3.73.0 that allows unauthenticated attackers to extract sensitive data a...

BeyondTrust Remote Support and older Privileged Remote Access versions contain a critical pre-authentication remote code execution vulnerability. Unau...

PlaciPy placement management system version 1.0.0 uses a hard-coded default password for all newly created student accounts, enabling attackers to log...

This vulnerability allows attackers to modify files in the .git directory of Gogs installations, potentially leading to remote command execution. It a...

A critical stack-based buffer overflow vulnerability in IP-COM W30AP access points allows remote attackers to execute arbitrary code or crash the devi...

An unauthenticated SQL injection vulnerability in Fortinet FortiClientEMS allows attackers to execute arbitrary SQL commands via crafted HTTP requests...

The WP Duplicate plugin for WordPress has a critical vulnerability that allows authenticated attackers with subscriber-level access to upload arbitrar...

This critical vulnerability in Azure Front Door allows attackers to bypass authentication and authorization controls, potentially gaining unauthorized...

CVE-2020-37125 is a critical remote code execution vulnerability in Edimax EW-7438RPn-v3 Mini range extenders that allows unauthenticated attackers to...

Quick.Cart e-commerce software has a session fixation vulnerability where an attacker can set a victim's session ID before authentication, then hijack...

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in AutoGPT's RSSFeedBlock component. Attackers can exploit unfiltered URL inputs...

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in AutoGPT's SendDiscordFileBlock component. Attackers can exploit unfiltered UR...

CVE-2026-25526 is a critical vulnerability in JinJava template engine that allows attackers to bypass sandbox restrictions and execute arbitrary Java ...

CVE-2025-13375 is a critical vulnerability in IBM Common Cryptographic Architecture (CCA) that allows unauthenticated attackers to execute arbitrary c...

Bambuddy versions before 0.1.7 have two critical authentication flaws: a hardcoded JWT secret key in source code and missing authentication checks on ...

A path traversal vulnerability in the unstructured library's partition_msg function allows attackers to write or overwrite arbitrary files on the file...

This SQL injection vulnerability in Martcode Software's Delta Course Automation allows attackers to execute arbitrary SQL commands on the database. Al...

EspoCRM 5.8.5 contains an authentication bypass vulnerability that allows attackers to access other user accounts by manipulating authorization header...

CVE-2020-37082 is an unauthenticated file access vulnerability in webERP 4.15.1 that allows remote attackers to download database backup files without...

CVE-2020-37068 is a critical buffer overflow vulnerability in Konica Minolta FTP Utility 1.0 that allows attackers to crash the FTP server and potenti...

A heap buffer overflow vulnerability in Fast DDS allows unauthenticated attackers to send a single malformed RTPS DATA_FRAG packet, causing immediate ...

This SQL injection vulnerability in PEAR's user::maintains() function allows attackers to execute arbitrary SQL commands when role filters are provide...

This CVE describes an unauthenticated SQL injection vulnerability in PEAR's package retrieval endpoint. Attackers can execute arbitrary SQL commands b...

A SQL injection vulnerability in PEAR's bug subscription deletion feature allows attackers to execute arbitrary SQL commands by manipulating email val...

This CVE describes a SQL injection vulnerability in PEAR, a PHP component framework, where unsafe literal substitution in karma queries allows attacke...

This vulnerability in PEAR (PHP Extension and Application Repository) allows remote code execution when attacker-controlled content reaches the preg_r...

This SQL injection vulnerability in PEAR's category deletion function allows attackers with category manager access to execute arbitrary SQL commands....

FUXA v1.2.7 contains a hard-coded JWT secret key that allows attackers to forge valid authentication tokens. This enables complete authentication bypa...

FUXA v1.2.7 has an unauthenticated file upload vulnerability in the /api/upload endpoint that allows remote attackers to upload arbitrary files. This ...

CVE-2025-69983 is a critical remote code execution vulnerability in FUXA v1.2.7 that allows attackers to execute arbitrary system commands through mal...

This critical buffer overflow vulnerability in TOTOLINK A950RG routers allows remote attackers to execute arbitrary code or cause denial of service by...

A stack-based buffer overflow vulnerability in TOTOLINK A950RG routers allows remote attackers to execute arbitrary code by sending specially crafted ...

This buffer overflow vulnerability in TOTOLINK A950RG routers allows remote attackers to execute arbitrary code by sending specially crafted requests ...

This SQL injection vulnerability in Shandong Kede Electronics' IoT smart water meter monitoring platform allows remote attackers to execute arbitrary ...

MediaCrush versions through 1.0.1 contain an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files of...

CVE-2025-57529 is a critical SQL injection vulnerability in YouDataSum CPAS Audit Management System that allows remote unauthenticated attackers to ex...

This SQL injection vulnerability in DIGITA Efficiency Management System allows attackers to execute arbitrary SQL commands on the database. All system...

A stack-based buffer overflow vulnerability in ELECOM wireless LAN access point devices allows remote attackers to execute arbitrary code by sending s...

An unauthenticated remote attacker can write arbitrary data to any file on Asustor ADM systems when a specific function is enabled during AD Domain jo...

This vulnerability in vLLM allows attackers to leak heap memory addresses by sending invalid images to the multimodal endpoint, which reduces ASLR ent...

This CVE describes a critical path traversal vulnerability in Wildfire IM's file upload functionality that allows attackers to write arbitrary files a...

CVE-2022-50981 allows unauthenticated remote attackers to gain full administrative access to affected devices because they ship without a default pass...

CVE-2026-20418 is a critical out-of-bounds write vulnerability in Thread protocol implementations that allows remote attackers to execute arbitrary co...

The User Profile Builder WordPress plugin before version 3.15.2 has an improper password reset mechanism that allows unauthenticated attackers to rese...

MagicINFO 9 Server versions below 21.1090.1 contain hardcoded database credentials, allowing attackers to authenticate and manipulate the database. Th...

A vulnerability in MagicInfo9 Server allows authorized users to upload HTML files without proper authentication, leading to stored cross-site scriptin...

This CVE describes a code injection vulnerability in Orval, a tool that generates TypeScript clients from OpenAPI/Swagger specifications. The incomple...

CVE-2025-51958 is a critical remote code execution vulnerability in the aelsantex runcommand plugin for DokuWiki. Unauthenticated attackers can execut...