🔥 Trending CVEs - Last 90 Days

This SQL injection vulnerability in ChurchCRM allows malicious or compromised administrator accounts to execute arbitrary SQL commands. Attackers can ...

RiteCMS v3.1.0 contains an authenticated remote code execution vulnerability in the parse_special_tags() function that allows authenticated users to e...

This Cross-site scripting (XSS) vulnerability in Open Source Point of Sale v3.4.1 allows remote attackers to inject malicious scripts via the phone_nu...

This Cross-site scripting (XSS) vulnerability in Open Source Point of Sale v3.4.1 allows remote attackers to inject malicious scripts via the 'name' p...

A vulnerability in Radiometer medical device software allows remote code execution and unauthorized device management when specific internal condition...

This vulnerability allows high-privileged attackers to execute arbitrary operating system commands on WaveStore Server through path traversal in the s...

A stack-based buffer overflow vulnerability in SEIKO EPSON Web Config allows authenticated users to execute arbitrary code by sending specially crafte...

This SQL injection vulnerability in Placeto CMS Alpha rv.4 allows authenticated attackers to manipulate database queries through the 'page' parameter ...

Clinic Pro software contains a SQL injection vulnerability in the monthly_expense_overview endpoint's month parameter. Authenticated attackers can inj...

This vulnerability in OpenEMR allows any authenticated user to bypass authorization checks and perform administrative actions. It affects all OpenEMR ...

An improper certificate validation vulnerability in Lenovo Filez allows attackers who can intercept network traffic to execute arbitrary code on affec...

A local privilege escalation vulnerability in Lenovo Vantage and Lenovo Baiying software allows authenticated local users to modify arbitrary Windows ...

Flowise versions before 3.0.13 contain a Server-Side Request Forgery (SSRF) vulnerability in HTTP Node components. This allows attackers to force the ...

CVE-2026-28512 is an OpenID Connect callback URL validation bypass in Pocket ID versions 2.0.0 through 2.3.x. Attackers can craft malicious authorizat...

InstantCMS versions before 2.18.1 lack CSRF token validation, allowing attackers to perform unauthorized actions on behalf of authenticated users. Att...

A privilege escalation vulnerability in SiYuan Note's publish service allows authenticated users with read-only publish accounts (RoleReader) to modif...

A stack buffer overflow vulnerability in ImageMagick's morphology kernel parsing functions allows attackers to corrupt the stack by providing speciall...

This vulnerability in pyLoad allows attackers to bypass directory traversal protections in the edit_package() function using recursive path sequences ...

Facturation System 1.0 contains an SQL injection vulnerability in the editar_producto.php endpoint that allows authenticated attackers to execute arbi...

Maitra 1.7.2 contains an SQL injection vulnerability in the mailid parameter of outmail and inmail modules, allowing authenticated attackers to execut...

Galaxy Forces MMORPG 0.5.8 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries through the 't...

This vulnerability involves default credentials for a local privileged user in Acronis Cyber Protect virtual appliances. Attackers can gain administra...

OpenClaw versions before 2026.2.12 have a path traversal vulnerability where authenticated attackers can use unsanitized sessionId or sessionFile para...

OpenClaw versions before 2026.2.14 have an OAuth state validation bypass in the manual Chutes login flow that allows attackers to bypass CSRF protecti...

OpenClaw versions before 2026.2.12 have an arbitrary file write vulnerability where authenticated gateway clients can manipulate the sessionFile path ...

This vulnerability in Frappe framework allows authenticated users to share documents with permissions they don't possess, potentially granting unautho...

This CVE describes an improper verification vulnerability in Huawei email applications that could allow attackers to access sensitive information. The...

CVE-2019-25503 is an unauthenticated SQL injection vulnerability in PHPads 2.0 that allows attackers to execute arbitrary SQL queries through the bann...

Tradebox 5.4 contains an SQL injection vulnerability in the monthly_deposit endpoint's symbol parameter that allows authenticated attackers to execute...

This XML External Entity (XXE) vulnerability in IBM InfoSphere Information Server allows attackers to read sensitive files from the server by exploiti...

This vulnerability allows authenticated local users in ZimaOS to craft requests targeting internal IP addresses and services, potentially accessing HT...

This cryptographic vulnerability in Qualcomm chipsets allows the High-Level Operating System (HLOS) to access the boot loader's certificate chain thro...

Zed code editor versions before 0.225.9 have a symlink escape vulnerability that allows reading and writing files outside the project directory when s...

A heap buffer overflow vulnerability in iccDEV allows reading past allocated memory boundaries when parsing ICC profile XML text description tags. Thi...

A local privilege escalation vulnerability in udisks allows unprivileged users to trigger the root-owned daemon to overwrite LUKS encryption headers. ...

This CVE describes a Cross-Site WebSocket Hijacking vulnerability in Traccar GPS tracking system versions up to 6.11.1. Attackers can bypass Same Orig...

OpenSift versions 1.1.2-alpha and below have a server-side request forgery (SSRF) vulnerability where URL ingest functionality can be tricked into fet...

This vulnerability in Key Systems Inc Global Facilities Management Software allows remote attackers to access sensitive information through the sid qu...

This stored cross-site scripting (XSS) vulnerability in the PixelYourSite WordPress plugin allows attackers to inject malicious scripts that execute w...

This DOM-based cross-site scripting (XSS) vulnerability in the PhotoMe WordPress theme allows attackers to inject malicious scripts into web pages vie...

This vulnerability allows attackers to inject malicious scripts into web pages generated by the Grand Conference WordPress theme. When users visit a s...

This is a reflected cross-site scripting (XSS) vulnerability in the Link Whisper Free WordPress plugin. Attackers can inject malicious scripts via cra...

This vulnerability allows attackers to inject malicious scripts into web pages through the Visitor Maps Extended Referer Field WordPress plugin. When ...

This vulnerability allows attackers to inject malicious scripts into web pages generated by the Diamond WordPress theme, which are then executed in vi...

This CVE describes a missing authorization vulnerability in the WooCommerce Bulk Product Editor plugin that allows attackers to exploit incorrectly co...

This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users through DOM-based cross-site scripting (XSS) in t...

This stored cross-site scripting (XSS) vulnerability in the NEX-Forms WordPress plugin allows attackers to inject malicious scripts into web pages tha...

This vulnerability allows attackers to inject malicious scripts into web pages generated by the NEX-Forms WordPress plugin. When users visit a special...

This vulnerability allows attackers to inject malicious scripts into web pages generated by the GhostPool Aardvark WordPress theme. When users visit a...

This CVE describes a reflected cross-site scripting (XSS) vulnerability in the WordPress Simple Archive Generator plugin. Attackers can inject malicio...