🔥 Trending CVEs - Last 90 Days

This vulnerability allows attackers to inject malicious scripts into web pages generated by the Asynchronous Javascript WordPress plugin. When users v...

This vulnerability allows attackers to inject malicious scripts into the amr cron manager WordPress plugin, which are then reflected back to users' br...

This CVE describes a reflected cross-site scripting (XSS) vulnerability in the Widget Logic Visual WordPress plugin. Attackers can inject malicious sc...

This is a reflected cross-site scripting (XSS) vulnerability in the Crocoblock JetEngine WordPress plugin. It allows attackers to inject malicious scr...

This Cross-Site Scripting (XSS) vulnerability in the RealMag777 GMap Targeting WordPress plugin allows attackers to inject malicious scripts into web ...

This vulnerability allows attackers to inject malicious scripts into web pages generated by the Educare WordPress plugin. When users visit a specially...

This is a reflected cross-site scripting (XSS) vulnerability in the FluentCart WordPress plugin. Attackers can inject malicious scripts via crafted UR...

This is a reflected cross-site scripting (XSS) vulnerability in the WP Wizard Cloak WordPress plugin that allows attackers to inject malicious scripts...

This stored cross-site scripting (XSS) vulnerability in the WordPress Easy Taxonomy Images plugin allows attackers to inject malicious scripts into we...

CVE-2026-26960 is a path traversal vulnerability in node-tar that allows attackers to create hardlinks pointing outside the extraction directory when ...

This CVE describes a Missing Authorization vulnerability in CMSMasters Content Composer WordPress plugin that allows attackers to bypass access contro...

StorageGRID versions with Single Sign-on enabled and configured to use Microsoft Entra ID are vulnerable to Server-Side Request Forgery (SSRF). This a...

Aidigu v1.9.1 contains a stored cross-site scripting vulnerability in the password input field on the /tools/Password/add page. This allows attackers ...

IBM Db2 databases running vulnerable versions are susceptible to XML external entity injection (XXE) attacks when processing XML data. This allows rem...

This CVE describes a privacy vulnerability in Apple operating systems where an app could potentially identify what other apps a user has installed, ex...

This CVE describes a sandbox escape vulnerability in multiple Apple operating systems where an app can bypass its security restrictions. It affects us...

This vulnerability allows applications to bypass certain privacy preferences on Apple operating systems, potentially accessing sensitive user data wit...

This CVE describes an out-of-bounds memory access vulnerability in Apple's media file processing across multiple operating systems. Attackers can craf...

CVE-2026-25999 is an improper access control vulnerability in Klaw (Apache Kafka management portal) that allows unauthorized users to reset or delete ...

A local privilege escalation vulnerability in Fortinet FortiClient for Windows allows low-privileged attackers to write arbitrary files with elevated ...

CVE-2025-11142 is an OS command injection vulnerability in Axis camera VAPIX API's mediaclip.cgi endpoint that allows authenticated attackers with ope...

A path traversal vulnerability in Pydantic AI's web UI allows attackers to serve malicious JavaScript by crafting URLs with unvalidated version parame...

CVE-2026-2103 is a hard-coded cryptographic key vulnerability in Infor SyteLine ERP that allows attackers to decrypt stored credentials including pass...

The CVE-2026-25536 vulnerability in the MCP TypeScript SDK allows cross-client response data leakage when a single server/transport instance is reused...

A type confusion vulnerability in iccDEV allows malformed ICC color profiles to trigger undefined behavior when loading invalid icImageEncodingType va...

CVE-2020-37112 is an SQL injection vulnerability in GUnet OpenEclass 1.7.3 that allows authenticated attackers to manipulate database queries through ...

The Form Maker WordPress plugin has a stored XSS vulnerability in versions up to 1.15.35. Unauthenticated attackers can inject malicious JavaScript in...

A cryptographic vulnerability in Qualcomm's Trusted Zone when triggered by the High-Level Operating System (HLOS) providing incorrect input. This allo...

The Library Viewer WordPress plugin before version 3.2.0 contains a reflected cross-site scripting (XSS) vulnerability where unsanitized parameters ar...

Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability in the 'sidx' parameter of comments functionality. Attackers with valid crede...

PolarLearn's vote API route accepts arbitrary string values for the 'direction' parameter due to missing runtime validation. Attackers can send unexpe...

This CVE describes a server-side request forgery (SSRF) vulnerability in TrustTunnel VPN software that allows attackers to bypass private network rest...

A critical authentication bypass vulnerability in Podman Desktop allows any installed extension to completely circumvent permission checks and gain un...

This CVE describes an authorization bypass vulnerability in Discourse discussion platform where subscription endpoints lack proper ownership verificat...

A Server-Side Request Forgery (SSRF) vulnerability in vLLM's MediaConnector class allows attackers to bypass host restrictions and make the server sen...

A vulnerability in gix-date's TimeBuf component allows generation of invalid non-UTF8 strings, violating internal safety guarantees and causing undefi...

The AhaChat Messenger Marketing WordPress plugin through version 1.1 contains a reflected cross-site scripting (XSS) vulnerability. Attackers can inje...

CVE-2026-24410 is a vulnerability in iccDEV's ICC color management profile libraries where improper input validation in CIccProfileXml::ParseBasic() l...

CVE-2026-24411 is an undefined behavior vulnerability in iccDEV's CIccTagXmlSegmentedCurve::ToXml() function that allows attackers to perform denial o...

This vulnerability in iccDEV allows attackers to exploit undefined behavior and null pointer dereferences when processing user-controlled ICC color pr...

CVE-2026-24407 is an undefined behavior vulnerability in iccDEV's icSigCalcOp() function that allows attackers to manipulate ICC color profile data. S...

An integer overflow vulnerability in iccDEV's CIccProfile::CheckHeader() function allows attackers to trigger memory corruption or denial of service b...

A null pointer dereference vulnerability in iccDEV's CIccXmlArrayType() function allows attackers to cause denial of service, manipulate data, bypass ...

This vulnerability in ToDesktop Builder v0.33.0 allows attackers with renderer-context access to bypass validation and invoke external protocol handle...

This CVE describes an out-of-bounds read vulnerability in the Linux kernel's libceph component within the handle_auth_done() function. Attackers could...

This vulnerability allows remote attackers to execute arbitrary Python code on Langflow installations through Python function components. Attackers ca...

This stored XSS vulnerability in the Modula Image Gallery WordPress plugin allows attackers to inject malicious scripts into web pages that persist in...

This vulnerability in the Simple XML Sitemap WordPress plugin allows attackers to perform Cross-Site Request Forgery (CSRF) attacks that lead to Store...

A stored cross-site scripting vulnerability in Autodesk Fusion allows attackers to inject malicious HTML into component descriptions. When users click...

This stored cross-site scripting vulnerability in Autodesk Fusion allows attackers to inject malicious HTML into part attributes. When users click the...