CVEs from 2026
Total
14,122
critical
critical 1,246
high
high 4,695
medium
medium 4,473
low
low 488
% Critical
8.8%
% with KEV
0.4%
% with exploit
0.8%
Top vendors
Top products
- chrome 522
- firepower_threat_defense_software 300
- firepower_threat_defense 298
- gcp 247
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-44376 | medium | 6.1 | 7.1 | 21d ago | CubeCart is an ecommerce software solution. Prior to 6.7.0, an unauthenticated Reflected XSS vulnerability exists in the CubeCart v6.x search feature. Due to a logic flaw in classes/catalogue.class.p… | |||
| CVE-2026-6815 | medium | 5.9 | 6.9 | 24d ago | An arbitrary file write vulnerability exists in Casdoor's Local File System storage provider. Due to insufficient path sanitization, an authenticated attacker with administrative privileges can perfo… | |||
| CVE-2026-32202 | medium | 4.3 | 6.8 | 2mo ago | Microsoft Windows Shell contains a protection mechanism failure vulnerability that allows an unauthorized attacker to perform spoofing over a network. | |||
| CVE-2026-44596 | medium | — | 6.5 | 8d ago | Yamcs has No Rate Limiting on Authentication Endpoint | |||
| CVE-2026-44595 | medium | — | 6.5 | 8d ago | Yamcs vulnerable to unauthorized user enumeration via IAM API endpoints | |||
| CVE-2026-42568 | medium | — | 6.5 | 8d ago | Yamcs Vulnerable to LDAP Injection in LdapAuthModule | |||
| CVE-2026-33829 | medium | 4.3 | 5.3 | 2mo ago | Exposure of sensitive information to an unauthorized actor in Windows Snipping Tool allows an unauthorized attacker to perform spoofing over a network. | |||
| CVE-2026-1340 | unknown | — | 2.5 | 2mo ago | Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution. | |||
| CVE-2026-34197 | unknown | — | 2.5 | 2mo ago | Apache ActiveMQ contains an improper input validation vulnerability that allows for code injection. | |||
| CVE-2026-3055 | unknown | — | 2.5 | 2mo ago | Citrix NetScaler ADC (formerly Citrix ADC), NetScaler Gateway (formerly Citrix Gateway) and NetScaler ADC FIPS and NDcPP contain an out-of-bounds reads vulnerability when configured as a SAML IDP lea… | |||
| CVE-2026-20127 | unknown | — | 2.5 | 3mo ago | Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, contain an authentication bypass vulnerability could allow an unauthenticated, re… | |||
| CVE-2026-2441 | unknown | — | 2.5 | 4mo ago | Google Chromium CSS contains a use-after-free vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple… | |||
| CVE-2026-1731 | unknown | — | 2.5 | 4mo ago | BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker to execute oper… | |||
| CVE-2026-1281 | unknown | — | 2.5 | 4mo ago | Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution. | |||
| CVE-2026-24061 | unknown | — | 2.5 | 4mo ago | GNU InetUtils contains an argument injection vulnerability in telnetd that could allow for remote authentication bypass via a "-f root" value for the USER environment variable. | |||
| CVE-2026-24486 | unknown | — | 1.0 | 4mo ago | Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_… |