CVEs from 2026

14,112 normalized CVEs published or assigned in this year.

Total

14,112

critical

critical 1,245

high

high 4,691

medium

medium 4,468

low

low 488

% Critical

8.8%

% with KEV

0.4%

% with exploit

0.8%

Top vendors

qualcomm 1,873
google 769
cisco 662
microsoft 334
adobe 333
apache 183
openclaw 173
mediatek 123

Top products

chrome 522
firepower_threat_defense_software 300
firepower_threat_defense 298
gcp 247
openclaw 172
commerce 104
netweaver_application_server_abap 102
commerce_b2b 89

Top packages

npm/openclaw 407
npm/parse-server 143
Packagist/wwbn/avideo 129
NPM/openclaw 129
Go/github.com/mattermost/mattermost-server 126
npm/n8n 120
Packagist/symfony/symfony 107
Go/github.com/mattermost/mattermost/server/v8 103

critical high medium low unknown

0

KEV Has exploit

CVE	Severity	CVSS	Risk	Flags	OS	Vendor	Published	Description
CVE-2026-31431	high	7.8	10.0				1mo ago	Linux Kernel contains an incorrect resource transfer between spheres vulnerability that could allow for privilege escalation.
CVE-2026-42897	high	8.1	9.6				20d ago	Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be e…
CVE-2026-41091	high	7.8	9.3				15d ago	Microsoft Defender contains a link following vulnerability that allows an authorized attacker to elevate privileges locally.
CVE-2026-33825	high	7.8	9.3				1mo ago	Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally.
CVE-2026-6973	high	7.2	8.7				27d ago	Ivanti Endpoint Manager Mobile (EPMM) contains an improper input validation vulnerability that allows a remotely authenticated user with administrative access to achieve remote code execution.