CVEs from 2026
Total
14,112
critical
critical 1,245
high
high 4,691
medium
medium 4,468
low
low 488
% Critical
8.8%
% with KEV
0.4%
% with exploit
0.8%
Top vendors
Top products
- chrome 522
- firepower_threat_defense_software 300
- firepower_threat_defense 298
- gcp 247
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-9082 | critical | 9.8 | 10.0 | 14d ago | Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API. | |||
| CVE-2026-20182 | critical | 10.0 | 10.0 | 20d ago | Cisco Catalyst SD-WAN Controller & Manager contain an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges… | |||
| CVE-2026-44262 | critical | 9.4 | 10.0 | 28d ago | Scramble vulnerable to remote code execution via evaluation of user-controlled input in validation rules | |||
| CVE-2026-42607 | critical | 9.1 | 10.0 | 29d ago | Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature | |||
| CVE-2026-36356 | critical | 9.1 | 10.0 | 1mo ago | The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint. | |||
| CVE-2026-7567 | critical | 9.8 | 10.0 | 1mo ago | The Temporary Login plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.0.0. This is due to improper input validation in the maybe_login_temporary_user() fun… | |||
| CVE-2026-41940 | critical | 9.8 | 10.0 | 1mo ago | WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized a… | |||
| CVE-2026-4631 | critical | — | 10.0 | 2mo ago | Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit… | |||
| CVE-2026-32746 | critical | 9.8 | 10.0 | 3mo ago | telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full. | |||
| CVE-2026-28517 | critical | 9.8 | 10.0 | 3mo ago | openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the databas… |