CVEs from 2026

14,701 normalized CVEs published or assigned in this year.

Total

14,701

critical

critical 1,323

high

high 4,979

medium

medium 4,762

low

low 501

% Critical

9.0%

% with KEV

0.4%

% with exploit

0.7%

Top vendors

qualcomm 1,873
google 959
cisco 672
microsoft 337
adobe 333
apache 185
openclaw 173
mediatek 123

Top products

chrome 660
firepower_threat_defense_software 310
gcp 299
firepower_threat_defense 298
openclaw 172
commerce 104
netweaver_application_server_abap 102
commerce_b2b 89

Top packages

npm/openclaw 407
npm/parse-server 143
Packagist/wwbn/avideo 134
NPM/openclaw 129
Go/github.com/mattermost/mattermost-server 126
npm/n8n 120
Packagist/symfony/symfony 107
Go/github.com/mattermost/mattermost/server/v8 103

critical high medium low unknown

0

KEV Has exploit

CVE	Severity	CVSS	Risk	Flags	OS	Vendor	Published	Description
CVE-2026-31431	high	7.8	10.0				1mo ago	Important: kernel security update
CVE-2026-42897	high	8.1	9.6				22d ago	Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-41091	high	7.8	9.3				17d ago	Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally.
CVE-2026-33825	high	7.8	9.3				2mo ago	Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally.
CVE-2026-28318	high	7.5	9.0				1d ago	SolarWinds Serv-U contains an uncontrolled resource consumption vulnerability that allows specially crafted POST requests using the Content-Encoding: deflate header to crash the Serv-U service withou…
CVE-2026-6973	high	7.2	8.7				29d ago	Ivanti Endpoint Manager Mobile (EPMM) contains an improper input validation vulnerability that allows a remotely authenticated user with administrative access to achieve remote code execution.
CVE-2026-34926	medium	6.7	8.2				15d ago	Trend Micro Apex One (on-premise) contains a directory traversal vulnerability that could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to depl…
CVE-2026-32201	medium	6.5	8.0				2mo ago	Microsoft SharePoint Server contains an improper input validation vulnerability that allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-32202	medium	4.3	6.8				2mo ago	Microsoft Windows Shell contains a protection mechanism failure vulnerability that allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-45498	medium	4.0	5.5				17d ago	Microsoft Defender Denial of Service Vulnerability