🔥 Trending CVEs - Last 90 Days

The Amazon SageMaker Python SDK before v3.2.0 and v2.256.0 exposes the ModelBuilder HMAC signing key in cleartext via the DescribeTrainingJob API. Thi...

This CVE describes an authenticated command injection vulnerability in TP-Link Archer BE230 routers. Attackers with admin access can execute arbitrary...

This CVE describes a command injection vulnerability in the Archer BE230 router's VPN Connection Service that requires admin authentication. Successfu...

A command injection vulnerability in TP-Link Archer BE230 routers allows authenticated attackers to execute arbitrary OS commands via the configuratio...

This CVE describes a command injection vulnerability in TP-Link Archer BE230 routers that allows authenticated attackers to execute arbitrary commands...

This CVE describes a command injection vulnerability in TP-Link Archer BE230 routers that allows authenticated attackers to execute arbitrary commands...

This stored XSS vulnerability in the Sell BTC WordPress plugin allows unauthenticated attackers to inject malicious scripts into order records. When a...

This CVE describes a local privilege escalation vulnerability in IBM Db2 where an instance owner can execute malicious code to gain root privileges. T...

This vulnerability allows attackers with valid credentials to execute arbitrary commands on affected Hikvision Wireless Access Points by sending speci...

This vulnerability allows authenticated users of certain HIKSEMI NAS products to execute arbitrary commands on the device by sending specially crafted...

This vulnerability allows low-privilege API keys in Immich to escalate their own permissions by calling the update endpoint, granting themselves full ...

This vulnerability in the AI Engine WordPress plugin allows authenticated attackers with Editor-level access or higher to upload arbitrary files, incl...

The TableMaster for Elementor WordPress plugin has a Server-Side Request Forgery (SSRF) vulnerability that allows authenticated attackers with Author-...

This CVE describes an OS command injection vulnerability in D-Link DIR-615 routers via the MAC Filter Configuration component. Attackers can execute a...

This CVE describes a remote OS command injection vulnerability in D-Link DIR-615 routers via the /set_temp_nodes.php file in the URL Filter component....

This CVE describes an authentication bypass vulnerability in Kargo's API endpoints. Unauthenticated attackers can access configuration data (exposing ...

This SQL injection vulnerability allows authenticated admin users to execute arbitrary SQL commands through the Structure component. It affects system...

PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the address parameter of change_params.php. Attackers can inject malicious...

PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the 'Comments / Special Instructions' field of the purchase page. Attacker...

This Server-Side Request Forgery (SSRF) vulnerability in the WP Messiah Frontis Blocks WordPress plugin allows attackers to make unauthorized requests...

Quick.Cart e-commerce software contains a Local File Inclusion and Path Traversal vulnerability in its theme selection mechanism. This allows authenti...

This CVE describes an OS command injection vulnerability in Ruijie AP180 series access points running vulnerable firmware versions. Attackers can exec...

This stored cross-site scripting vulnerability in VestaCP allows attackers to inject malicious scripts into the IP interface configuration. When admin...

OpenLiteSpeed 1.7.9 contains a stored cross-site scripting vulnerability in the dashboard's Notes parameter that allows attackers to inject malicious ...

Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in calendar event subtitles that allows attackers to inject malicious JavaScrip...

This stored cross-site scripting vulnerability in Genexis Platinum-4410 routers allows attackers to inject malicious scripts into the 'start_addr' par...

CVE-2021-47778 is a PHP code injection vulnerability in GetSimple CMS My SMTP Contact Plugin 1.1.2 that allows authenticated administrators to execute...

This vulnerability allows unauthenticated attackers to inject malicious scripts into WordPress sites using the NotificationX plugin. When users visit ...

An authenticated SQL injection vulnerability in WeGIA's Atendido_ocorrenciaControle endpoint allows attackers to extract sensitive data from the datab...

StudyMD 0.3.2 contains a persistent cross-site scripting vulnerability where attackers can upload malicious markdown files containing JavaScript paylo...

Markdownify 1.2.0 contains a persistent cross-site scripting (XSS) vulnerability that allows attackers to upload malicious markdown files containing e...

Markright 1.0 contains a persistent cross-site scripting (XSS) vulnerability where attackers can embed malicious JavaScript in markdown files. When us...

CVE-2021-47839 is a persistent cross-site scripting (XSS) vulnerability in Marky 0.0.1 that allows attackers to inject malicious JavaScript into markd...

Moeditor 0.2.0 contains a persistent cross-site scripting (XSS) vulnerability where attackers can embed malicious JavaScript in markdown files. When v...

Freeter 1.2.1 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious scripts in custom widget titles and fi...

This CVE describes a cross-site scripting (XSS) vulnerability in LemonLDAP::NG's portal login page. Attackers can inject malicious scripts via the tab...

This vulnerability in Supermicro BMC firmware allows attackers to bypass validation checks and install malicious firmware images on affected servers. ...

This CVE describes a code injection vulnerability in Shopware's map() function where PHP Closures can bypass allow-list validation. It affects Shopwar...

This vulnerability allows authenticated remote attackers to perform SQL injection attacks on EdgeConnect SD-WAN Orchestrator's web management interfac...

This SQL injection vulnerability in EdgeConnect SD-WAN Orchestrator's web management interface allows authenticated attackers to execute arbitrary SQL...

This SQL injection vulnerability in EdgeConnect SD-WAN Orchestrator's web management interface allows authenticated attackers to execute arbitrary SQL...

The Name Directory WordPress plugin up to version 1.30.3 has a stored cross-site scripting vulnerability that allows unauthenticated attackers to inje...

The AJS Footnotes WordPress plugin has a stored XSS vulnerability that allows unauthenticated attackers to inject malicious scripts into website pages...

This stored XSS vulnerability in the GeekyBot WordPress plugin allows unauthenticated attackers to inject malicious scripts via chat messages. When ad...

The GetContentFromURL WordPress plugin is vulnerable to Server-Side Request Forgery (SSRF) in all versions up to 1.0. This allows authenticated attack...

CVE-2022-50939 is a critical file upload vulnerability in e107 CMS version 3.2.1 that allows authenticated administrators to overwrite arbitrary serve...

CVE-2022-50916 is a file upload vulnerability in e107 CMS version 3.2.1 that allows authenticated administrators to overwrite server files through Med...

Authenticated command injection vulnerabilities in Aruba mobility conductors running AOS-8 allow attackers with valid credentials to execute arbitrary...

Authenticated command injection vulnerabilities in Aruba mobility conductors running AOS-8 allow authenticated attackers to execute arbitrary commands...

An authenticated attacker with valid credentials can exploit improper input handling in the web management interface of Aruba mobility conductors runn...