CVE Trends

Currently trending CVE - Hype Score: 13 - FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains an authenticated arbitrary file upload vulnerability affecting ...

Currently trending CVE - Hype Score: 1 - pgAdmin versions up to 9.10 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting ...

Currently trending CVE - Hype Score: 1 - Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally.

Currently trending CVE - Hype Score: 14 - In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, ...

Currently trending CVE - Hype Score: 1 - Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

Currently trending CVE - Hype Score: 19

Currently trending CVE - Hype Score: 19

Currently trending CVE - Hype Score: 19

Currently trending CVE - Hype Score: 19

Currently trending CVE - Hype Score: 1 - Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a ...

Currently trending CVE - Hype Score: 17 - It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads ...

Currently trending CVE - Hype Score: 17 - Out-of-bounds read in Windows Defender Firewall Service allows an authorized attacker to disclose information locally.

Currently trending CVE - Hype Score: 8 - Improper neutralization of special elements used in a command ('command injection') in Windows PowerShell allows an unauthorized attacker to execute code locally.

Currently trending CVE - Hype Score: 1 - Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.0 through 1.4.16 contain a prototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with ...

Currently trending CVE - Hype Score: 1 - Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same ...

Currently trending CVE - Hype Score: 1 - In multiple locations, there is a possible way to launch activities from the background due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Currently trending CVE - Hype Score: 21 - The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling. Versions ...

Currently trending CVE - Hype Score: 14 - Array Networks ArrayOS AG before 9.4.5.9 allows command injection, as exploited in the wild in August through December 2025.

Currently trending CVE - Hype Score: 19 - Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic ...

Currently trending CVE - Hype Score: 19 - In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would ...