Latest zero-days Total: 455, in 2020: Zero-days 20, candidates: 2

Stored cross-site scripting in Login/Signup Popup plugin for WordPress

The vulnerability exploitation was detected on May 14, 2020. The authenticated attackers can inject, via the AJAX API, JavaScript code into the plugin’s settings and use it to target the administrator in the backend of WordPress.

Remote code execution in Elementor Pro plugin for WordPress

The vulnerability exploitation was detected on May 06, 2020. The attackers can remotely execute arbitrary code.

SQL injection in Sophos XG Firewall/SFOS
CVE-2020-12271

Asnarök

The vulnerability exploitation was detected on April 22, 2020. Malware dubbed Asnarök used SQL injection vulnerability to compromise the affected devices and steal users' credentials.

Remote code execution in Apple iOS

Not patched

According to security researchers this vulnerability is being actively exploited since January 2018.

About zero-day vulnerabilities

Zero-day vulnerability is an undisclosed vulnerability in software that hackers can exploit to compromise computer programs, gain unauthorized access to sensitive data, penetrate networks, etc. We consider vulnerability a zero-day when there is no solution provided from software vendor and the vulnerability is being actively exploited by malicious actors.

Zero-day candidate is a potential zero-day vulnerability in software which might have been used in targeted attacks, however there is no evidence to support this suggestion.