CVEs from 2026

14,122 normalized CVEs published or assigned in this year.

Total

14,122

critical

critical 1,246

high

high 4,695

medium

medium 4,475

low

low 488

% Critical

8.8%

% with KEV

0.4%

% with exploit

0.8%

Top vendors

qualcomm 1,873
google 769
cisco 662
microsoft 334
adobe 333
apache 183
openclaw 173
mediatek 123

Top products

chrome 522
firepower_threat_defense_software 300
firepower_threat_defense 298
gcp 247
openclaw 172
commerce 104
netweaver_application_server_abap 102
commerce_b2b 89

Top packages

npm/openclaw 407
npm/parse-server 143
Packagist/wwbn/avideo 129
NPM/openclaw 129
Go/github.com/mattermost/mattermost-server 126
npm/n8n 120
Packagist/symfony/symfony 107
Go/github.com/mattermost/mattermost/server/v8 103

critical high medium low unknown

0

KEV Has exploit

CVE	Severity	CVSS	Risk	Flags	OS	Vendor	Published	Description
CVE-2026-31431	high	7.8	10.0				1mo ago	Linux Kernel contains an incorrect resource transfer between spheres vulnerability that could allow for privilege escalation.
CVE-2026-42897	high	8.1	9.6				21d ago	Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be e…
CVE-2026-41091	high	7.8	9.3				15d ago	Microsoft Defender contains a link following vulnerability that allows an authorized attacker to elevate privileges locally.
CVE-2026-33825	high	7.8	9.3				1mo ago	Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally.
CVE-2026-6973	high	7.2	8.7				28d ago	Ivanti Endpoint Manager Mobile (EPMM) contains an improper input validation vulnerability that allows a remotely authenticated user with administrative access to achieve remote code execution.
CVE-2026-34926	medium	6.7	8.2				14d ago	Trend Micro Apex One (on-premise) contains a directory traversal vulnerability that could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to depl…
CVE-2026-32201	medium	6.5	8.0				2mo ago	Microsoft SharePoint Server contains an improper input validation vulnerability that allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-32202	medium	4.3	6.8				2mo ago	Microsoft Windows Shell contains a protection mechanism failure vulnerability that allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-45498	medium	4.0	5.5				15d ago	Microsoft Defender contains an unspecified vulnerability that allows for denial of service.