🔥 Trending CVEs - Last 90 Days

This vulnerability allows remote attackers to execute arbitrary code as root on Langflow installations without authentication. The flaw exists in how ...

CVE-2026-0773 is a critical remote code execution vulnerability in Upsonic's Cloudpickle deserialization. Attackers can execute arbitrary code without...

CVE-2026-0763 is a critical deserialization vulnerability in GPT Academic's run_in_subprocess_wrapper_func that allows unauthenticated remote attacker...

CVE-2026-0764 is a critical deserialization vulnerability in GPT Academic's upload endpoint that allows unauthenticated remote attackers to execute ar...

CVE-2026-0768 is a critical remote code execution vulnerability in Langflow that allows unauthenticated attackers to execute arbitrary Python code on ...

This vulnerability allows remote attackers to execute arbitrary Python code on Langflow installations without authentication. Attackers can achieve fu...

This vulnerability allows remote attackers to execute arbitrary commands on systems running vulnerable versions of gemini-mcp-tool without authenticat...

This is a critical command injection vulnerability in github-kanban-mcp-server that allows unauthenticated remote attackers to execute arbitrary syste...

This vulnerability allows remote attackers to execute arbitrary commands on systems running Katana Network Development Starter Kit without authenticat...

CVE-2026-0760 is a critical remote code execution vulnerability in Foundation Agents MetaGPT's deserialize_message function. Attackers can exploit thi...

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary Python code on systems running vulnerable versions of Foundat...

This is a critical command injection vulnerability in Ollama MCP Server that allows remote attackers to execute arbitrary system commands without auth...

This vulnerability allows remote attackers to execute arbitrary code on Framelink Figma MCP Server installations without authentication. Attackers can...

Orval versions 7.19.0 and below and 8.0.0-rc.0 through 8.0.2 contain a code injection vulnerability where untrusted OpenAPI specifications can inject ...

Dragonfly versions 2.4.1-rc.0 and below have missing authentication and authorization checks on Job API endpoints, allowing unauthenticated users with...

CVE-2026-24306 is an improper access control vulnerability in Azure Front Door that allows unauthorized attackers to elevate privileges over a network...

Soft Serve versions 0.11.2 and below have a critical authentication bypass vulnerability that allows attackers to impersonate any user, including admi...

This vulnerability in Apryse HTML2PDF SDK allows attackers to execute arbitrary operating system commands on servers using the InsertFromURL() functio...

This CVE describes a Missing Authorization vulnerability in the BA Book Everything WordPress plugin that allows attackers to bypass access controls. I...

This CVE describes a PHP Local File Inclusion vulnerability in the Golo WordPress theme that allows attackers to include arbitrary local files through...

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affec...

This vulnerability allows remote attackers to execute arbitrary code through deserialization of untrusted data in the ThemeREX Sound | Musical Instrum...

This vulnerability allows attackers to bypass authentication in the Workreap Core WordPress plugin, potentially gaining unauthorized access to user ac...

This CVE describes a Missing Authorization vulnerability in the Registration & Login with Mobile Phone Number for WooCommerce WordPress plugin. It all...

This vulnerability allows attackers to escalate privileges in LazyTasks project management software, potentially gaining administrative access. It aff...

This vulnerability allows attackers to upload arbitrary files, including web shells, to WordPress servers running the vulnerable g-FFL Checkout plugin...

CVE-2025-67617 is a PHP object injection vulnerability in the Consult Aid WordPress theme that allows attackers to execute arbitrary code by exploitin...

This vulnerability allows attackers to include local PHP files through improper filename control in the Depot WordPress theme. Attackers can potential...

This vulnerability allows attackers to include local files on the server through improper filename control in PHP's include/require statements. It aff...

This vulnerability allows attackers to upload arbitrary files, including web shells, to web servers running the Farost Energia WordPress theme. Attack...

This vulnerability allows attackers to include local PHP files through improper filename control in the Amuli WordPress theme. Attackers can potential...

This SQL injection vulnerability in the WP Lead Capturing Pages WordPress plugin allows attackers to execute arbitrary SQL commands on the database. I...

This vulnerability allows attackers to include local PHP files through improper filename control in the Anarkali WordPress theme. Attackers can potent...

This vulnerability allows remote attackers to execute arbitrary code on Tenda AX3 routers by exploiting a stack-based buffer overflow in the formGetIp...

CVE-2026-23760 is an authentication bypass vulnerability in SmarterMail's password reset API that allows unauthenticated attackers to reset administra...

This vulnerability in NervesHub allows attackers to brute-force user API tokens due to their predictable format, potentially granting unauthorized acc...

MeetingHub software from HAMASTAR Technology contains an unauthenticated arbitrary file upload vulnerability that allows remote attackers to upload ma...

The LA-Studio Element Kit for Elementor WordPress plugin allows unauthenticated attackers to create administrator accounts by manipulating the registr...

Dataease versions before 2.10.19 use MD5-hashed passwords as JWT signing secrets, allowing attackers to brute-force admin passwords via unmonitored AP...

This vulnerability in Fleet's Windows MDM enrollment flow allows attackers to bypass authentication by submitting forged JWT tokens that aren't proper...

CVE-2026-23524 is a critical deserialization vulnerability in Laravel Reverb that allows remote code execution when horizontal scaling is enabled. Att...

This vulnerability allows remote attackers to execute arbitrary code on Tenda AX3 routers by exploiting a stack overflow in the formSetIptv function. ...

This vulnerability allows remote attackers to execute arbitrary code on Tenda AX3 routers by exploiting a stack overflow in the formSetIptv function v...

This vulnerability allows remote attackers to execute arbitrary code on Tenda AX3 routers by exploiting a stack-based buffer overflow in the formGetIp...

GeoGebra CAS Calculator 6.0.631.0 contains a buffer overflow vulnerability that allows attackers to crash the application by pasting a specially craft...

CVE-2021-47854 is a critical buffer overflow vulnerability in DD-WRT's UPnP service that allows remote attackers to execute arbitrary code on affected...

Mini Mouse 9.2.0 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands via crafted HTTP ...

CVE-2021-47748 is a critical remote code execution vulnerability in Hasura GraphQL Engine that allows attackers to execute arbitrary shell commands on...

This vulnerability in GNU Inetutils telnetd allows remote attackers to bypass authentication by setting the USER environment variable to '-f root'. Th...

This vulnerability allows unauthenticated attackers to change any user's password in the Academy LMS WordPress plugin, including administrator account...