CVEs from 2026
Total
14,122
critical
critical 1,246
high
high 4,695
medium
medium 4,473
low
low 488
% Critical
8.8%
% with KEV
0.4%
% with exploit
0.8%
Top vendors
Top products
- chrome 522
- firepower_threat_defense_software 300
- firepower_threat_defense 298
- gcp 247
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-31431 | high | 7.8 | 10.0 | 1mo ago | Linux Kernel contains an incorrect resource transfer between spheres vulnerability that could allow for privilege escalation. | |||
| CVE-2026-43284 | high | 8.8 | 9.8 | 23d ago | In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks… | |||
| CVE-2026-23918 | high | 8.8 | 9.8 | 1mo ago | Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which f… | |||
| CVE-2026-42471 | high | 8.1 | 9.1 | 1mo ago | Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client (Connection.php:76) calls unserialize() on data received from the server response, enabling client-sid… | |||
| CVE-2026-46522 | high | — | 9.0 | 16d ago | ImageMagick: Infinite Loop in the MIFF decoder can lead to CPU exhaustion | |||
| CVE-2026-46300 | high | 7.8 | 8.8 | 15d ago | In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from… | |||
| CVE-2026-43500 | high | 7.8 | 8.8 | 24d ago | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and th… | |||
| CVE-2026-23231 | high | 7.8 | 8.8 | 2mo ago | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-after-free in nf_tables_addchain() nf_tables_addchain() publishes the chain to table->chains via li… | |||
| CVE-2026-36355 | high | 7.7 | 8.7 | 1mo ago | The rtl8192cd Wi-Fi kernel driver in the Realtek rtl819x Jungle SDK (all known versions through v3.4.14B) does not perform any access control checks on the write_mem (ioctl 0x89F5) and read_mem (ioct… | |||
| CVE-2026-44680 | high | 7.6 | 8.6 | 9d ago | MikroORM has SQL injection via runtime-controlled identifiers and JSON-path keys | |||
| CVE-2026-34474 | high | 7.5 | 8.5 | 28d ago | Sensitive data exposure leading to admin/WLAN credential leak in ZTE ZXHN H298A 1.1 and H108N 2.6. A crafted request to the router web interface can expose sensitive device and account information. I… | |||
| CVE-2026-34473 | high | 7.5 | 8.5 | 28d ago | Unauthenticated DoS in ZTE H8102E, H168N, H167A, H199A, H288A, H198A, H267A, H267N, H268A, H388X, H196A, H369A, H268N, H208N, H367N, H181A, and H196Q. A denial-of-service condition can be triggered a… | |||
| CVE-2026-26980 | high | 7.5 | 8.5 | 3mo ago | Ghost has a SQL injection in Content API | |||
| CVE-2026-44403 | high | 7.2 | 8.2 | 22d ago | Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code… | |||
| CVE-2026-34472 | high | 7.1 | 8.1 | 2mo ago | Unauthenticated credential disclosure in the wizard interface in ZTE ZXHN H188A V6.0.10P2_TE and V6.0.10P3N3_TE allows unauthenticated attackers on the local network to retrieve sensitive credentials… | |||
| CVE-2026-26157 | high | 7.0 | 8.0 | 4mo ago | A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may wr… |