CVEs from 2026
Total
14,787
critical
critical 1,335
high
high 5,005
medium
medium 4,828
low
low 503
% Critical
9.0%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 723
- firepower_threat_defense_software 310
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-8950 | critical | 9.3 | 9.3 | 11d ago | Important: thunderbird security update | |||
| CVE-2026-44451 | critical | 9.3 | 9.3 | 11d ago | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous global… | |||
| CVE-2026-42774 | critical | 9.3 | 9.3 | 12d ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crocoblock JetEngine allows SQL Injection. This issue affects JetEngine: from n/a through 3.8.8.… | |||
| CVE-2026-42773 | critical | 9.3 | 9.3 | 12d ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in eMagicOne eMagicOne Store Manager allows Blind SQL Injection. This issue affects eMagicOne Store… | |||
| CVE-2026-41090 | critical | 9.3 | 9.3 | 15d ago | Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network. | |||
| CVE-2026-9264 | critical | 9.3 | 9.3 | 16d ago | A cross-site scripting (XSS) vulnerability in SketchUp 2026's Dynamic Components feature allows remote code execution and local file exfiltration through maliciously crafted SKP files. The vulnerabil… | |||
| CVE-2026-39531 | critical | 9.3 | 9.3 | 16d ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wp Directory Kit WP Directory Kit allows Blind SQL Injection. This issue affects WP Directory Ki… | |||
| CVE-2026-41091 | high | 7.8 | 9.3 | 17d ago | Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally. | |||
| CVE-2026-44225 | critical | 9.3 | 9.3 | 25d ago | Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged web application, giving it access to the … | |||
| CVE-2026-34660 | critical | 9.3 | 9.3 | 25d ago | Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An … | |||
| CVE-2026-40402 | critical | 9.3 | 9.3 | 25d ago | Use after free in Windows Hyper-V allows an unauthorized attacker to elevate privileges locally. | |||
| CVE-2026-40379 | critical | 9.3 | 9.3 | 25d ago | Exposure of sensitive information to an unauthorized actor in Azure Entra ID allows an unauthorized attacker to perform spoofing over a network. | |||
| CVE-2026-43900 | critical | 9.3 | 9.3 | 26d ago | DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, a Cross-Site Scripting (XSS) vulnerability exists due to a discrepanc… | |||
| CVE-2026-44212 | critical | 9.3 | 9.3 | 29d ago | PrestaShop has a stored XSS executable in customer service view | |||
| CVE-2026-43526 | critical | 9.3 | 9.3 | 1mo ago | OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes | |||
| CVE-2026-40797 | critical | 9.3 | 9.3 | 1mo ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saleswonder LLC WebinarIgnition allows Blind SQL Injection. This issue affects WebinarIgnition: … | |||
| CVE-2026-7161 | critical | 9.3 | 9.3 | 1mo ago | An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An att… | |||
| CVE-2026-42363 | critical | 9.3 | 9.3 | 1mo ago | An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An att… | |||
| CVE-2026-33102 | critical | 9.3 | 9.3 | 1mo ago | Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network. | |||
| CVE-2026-32210 | critical | 9.3 | 9.3 | 1mo ago | Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network. | |||
| CVE-2026-33825 | high | 7.8 | 9.3 | 2mo ago | Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally. | |||
| CVE-2026-40959 | critical | 9.3 | 9.3 | 2mo ago | Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod. | |||
| CVE-2026-34615 | critical | 9.3 | 9.3 | 2mo ago | Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An… | |||
| CVE-2026-27246 | critical | 9.3 | 9.3 | 2mo ago | Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a … | |||
| CVE-2026-27245 | critical | 9.3 | 9.3 | 2mo ago | Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a … | |||
| CVE-2026-27243 | critical | 9.3 | 9.3 | 2mo ago | Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a … | |||
| CVE-2026-31845 | critical | 9.3 | 9.3 | 2mo ago | A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflect… | |||
| CVE-2026-27413 | critical | 9.3 | 9.3 | 3mo ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozmoslabs Profile Builder Pro allows Blind SQL Injection.This issue affects Profile Builder Pro:… | |||
| CVE-2026-6209 | critical | 9.1 | 9.1 | 1d ago | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | |||
| CVE-2026-6208 | critical | 9.1 | 9.1 | 1d ago | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | |||
| CVE-2026-6207 | critical | 9.1 | 9.1 | 1d ago | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | |||
| CVE-2026-48579 | critical | 9.1 | 9.1 | 2d ago | Improper authorization in Microsoft Exchange Online allows an unauthorized attacker to disclose information over a network. | |||
| CVE-2026-11153 | critical | 9.1 | 9.1 | 2d ago | Side-channel information leakage in Forms in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | |||
| CVE-2026-48040 | critical | 9.1 | 9.1 | 2d ago | The netty incubator codec.bhttp is a java language binary http parser. The library implements Oblivious HTTP (RFC 9458) using BoringSSL's HPKE C library via JNI. When deriving native memory addresses… | |||
| CVE-2026-50076 | critical | 9.1 | 9.1 | 2d ago | Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChec… | |||
| CVE-2026-46266 | critical | 9.1 | 9.1 | 3d ago | In the Linux kernel, the following vulnerability has been resolved: inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP Yizhou Zhao reported that simply having one RAW socket on protocol IP… | |||
| CVE-2026-46244 | critical | 9.1 | 9.1 | 3d ago | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() … | |||
| CVE-2026-8644 | critical | 9.1 | 9.1 | 5d ago | IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to identity spoofing. | |||
| CVE-2026-42682 | critical | 9.1 | 9.1 | 5d ago | Missing Authorization vulnerability in Tomdever wpForo Forum allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects wpForo Forum: from n/a through 3.0.6. | |||
| CVE-2026-42252 | critical | 9.1 | 9.1 | 6d ago | Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when triggering Dags") showed a verbatim `BashOperator(bash_command="echo value: {{ dag_run.conf['conf1'] … | |||
| CVE-2026-48188 | critical | 9.1 | 9.1 | 6d ago | An improper Input Validation vulnerability in OTRS or ((OTRS)) Community Edition database layer module allows an unauthenticated SQL injection which can lead to an authentication bypass. This issue o… | |||
| CVE-2026-9051 | critical | 9.1 | 9.1 | 8d ago | There is an authentication bypass vulnerability in the NI SystemLink Enterprise Dashboard application that may allow an unauthenticated remote attacker to bypass authentication controls leading to pr… | |||
| CVE-2026-5386 | critical | 9.1 | 9.1 | 8d ago | The affected KMW CCTV Security Cameras are vulnerable to a critical unauthenticated password reset. This flaw allows an attacker to remotely reset the administrator password to a known value without … | |||
| CVE-2026-48501 | critical | 9.1 | 9.1 | 8d ago | GitHub CLI (gh) is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release … | |||
| CVE-2026-4290 | critical | 9.1 | 9.1 | 8d ago | The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and including, 10.6.0. Th… | |||
| CVE-2026-46819 | critical | 9.1 | 9.1 | 9d ago | Vulnerability in the Oracle Internet Procurement Connector product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploi… | |||
| CVE-2026-9098 | critical | 9.1 | 9.1 | 9d ago | In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnReques… | |||
| CVE-2026-9092 | critical | 9.1 | 9.1 | 9d ago | Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without… | |||
| CVE-2026-9090 | critical | 9.1 | 9.1 | 9d ago | Casdoor versions 2.362.0 and earlier contain a vulnerability that allows an attacker to bypass authentication by supplying an arbitrary signing certificate. The buildSpCertificateStore function extra… | |||
| CVE-2026-22872 | critical | 9.1 | 9.1 | 9d ago | Capsule is a multi-tenancy and policy-based framework for Kubernetes. The Capsule Controller runs with cluster-admin privileges. Although the TenantResource RawItems processing logic forcibly sets th… | |||
| CVE-2026-46185 | critical | 9.1 | 9.1 | 10d ago | In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the… | |||
| CVE-2026-46155 | critical | 9.1 | 9.1 | 10d ago | In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, a… | |||
| CVE-2026-46119 | critical | 9.1 | 9.1 | 10d ago | In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPL… | |||
| CVE-2026-7876 | critical | 9.1 | 9.1 | 10d ago | IBM Aspera HSTS for CP4I 1.5.1 through 1.5.19 | |||
| CVE-2026-46043 | critical | 9.1 | 9.1 | 10d ago | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv rxe_rcv() currently checks only that the incoming packet is at l… | |||
| CVE-2026-49002 | critical | 9.1 | 9.1 | 11d ago | Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, such as viewing and mo… | |||
| CVE-2026-8450 | critical | 9.1 | 9.1 | 11d ago | HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file(). send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '| cm… | |||
| CVE-2026-44444 | critical | 9.1 | 9.1 | 11d ago | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety sca… | |||
| CVE-2026-44449 | critical | 9.1 | 9.1 | 11d ago | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPath(fullPath) call throws, the method falls back to a dirname/basename split and only validates the directory … | |||
| CVE-2026-8856 | critical | 9.1 | 9.1 | 11d ago | IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service in configurations where an attacker has write access to parts of the server configuration. | |||
| CVE-2026-42496 | critical | 9.1 | 9.1 | 12d ago | Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory. _make_special_file() passes the tar header's linkname to symlink() with… | |||
| CVE-2026-2332 | critical | 9.1 | 9.1 | 12d ago | Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing | |||
| CVE-2026-33843 | critical | 9.1 | 9.1 | 15d ago | Authentication bypass using an alternate path or channel in Microsoft Azure Active Directory B2C allows an unauthorized attacker to elevate privileges over a network. | |||
| CVE-2026-8673 | critical | 9.1 | 9.1 | 15d ago | Unprotected transport of credentials vulnerability in syslink software AG Avantra on Linux, Windows allows Sniffing Attacks. This issue affects Avantra: before 25.3.0. | |||
| CVE-2026-42508 | critical | 9.1 | 9.1 | 16d ago | Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked. | |||
| CVE-2026-39834 | critical | 9.1 | 9.1 | 16d ago | When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty pack… | |||
| CVE-2026-39833 | critical | 9.1 | 9.1 | 16d ago | The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indicatio… | |||
| CVE-2026-39832 | critical | 9.1 | 9.1 | 16d ago | When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forward… | |||
| CVE-2026-39831 | critical | 9.1 | 9.1 | 16d ago | The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch … | |||
| CVE-2026-39830 | critical | 9.1 | 9.1 | 16d ago | A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), r… | |||
| CVE-2026-33000 | critical | 9.1 | 9.1 | 16d ago | A malicious actor with access to the network and high privileges could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection. | |||
| CVE-2026-5433 | critical | 9.1 | 9.1 | 17d ago | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | |||
| CVE-2026-47372 | critical | 9.1 | 9.1 | 17d ago | Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts. These versions use the built-in rand function, which is predictable and unsuitable for cryptography. | |||
| CVE-2026-8598 | critical | 9.1 | 9.1 | 17d ago | An undocumented configuration export port is accessible on some models of ZKTeco CCTV cameras. This port does not require authentication and exposes critical information about the camera such as op… | |||
| CVE-2026-8602 | critical | 9.1 | 9.1 | 18d ago | In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sen… | |||
| CVE-2026-31071 | critical | 9.1 | 9.1 | 18d ago | API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records (including bcrypt p… | |||
| CVE-2026-2586 | critical | 9.1 | 9.1 | 18d ago | GlassFish's Administration Console is Vulnerable to RCE | |||
| CVE-2026-8948 | critical | 9.1 | 9.1 | 18d ago | Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | |||
| CVE-2026-41919 | critical | 9.1 | 9.1 | 19d ago | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrad… | |||
| CVE-2026-31986 | critical | 9.1 | 9.1 | 19d ago | Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | |||
| CVE-2026-45230 | critical | 9.1 | 9.1 | 19d ago | DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary fi… | |||
| CVE-2026-41947 | critical | 9.1 | 9.1 | 19d ago | Dify before version 1.14.2 contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant owners… | |||
| CVE-2026-7302 | critical | 9.1 | 9.1 | 19d ago | SGLang's multimodal generation runtime has an unauthenticated path traversal vulnerability | |||
| CVE-2026-8757 | critical | 9.1 | 9.1 | 20d ago | A vulnerability was found in adenhq hive up to 0.11.0. This affects the function _read_events_tail of the file core/framework/server/routes_sessions.py of the component Delete Request Handler. Perfor… | |||
| CVE-2026-8686 | critical | 9.1 | 9.1 | 22d ago | Missing bounds validation in the MQTT v5.0 property parser in coreMQTT before 5.0.1 allows an MQTT broker to cause a denial of service by sending a crafted packet. To remediate this issue, users s… | |||
| CVE-2026-45010 | critical | 9.1 | 9.1 | 22d ago | phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session bind… | |||
| CVE-2026-41258 | critical | 9.1 | 9.1 | 22d ago | OpenMRS has Stored Velocity SSTI to RCE via ConceptReferenceRange | |||
| CVE-2026-45787 | critical | 9.1 | 9.1 | 23d ago | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to 3.9.5, deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and no MAC leads to confid… | |||
| CVE-2026-8634 | critical | 9.1 | 9.1 | 23d ago | Crabbox: environment variable exposure vulnerability | |||
| CVE-2026-46470 | critical | 9.1 | 9.1 | 23d ago | An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_audio_caps function does not sufficiently validate atom data before per… | |||
| CVE-2026-44542 | critical | 9.1 | 9.1 | 23d ago | FileBrowser Public Share DELETE API Path Traversal Allows Unauthenticated Arbitrary File Deletion | |||
| CVE-2026-42555 | critical | 9.1 | 9.1 | 23d ago | Valtimo has SpEL injection via StandardEvaluationContext that allows Remote Code Execution by admin users | |||
| CVE-2026-6512 | critical | 9.1 | 9.1 | 24d ago | The InfusedWoo Pro plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.2. This is due to the plugin not properly verifying that a user is authorized t… | |||
| CVE-2026-45158 | critical | 9.1 | 9.1 | 24d ago | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the configured interface, which is processed by a shell scrip… | |||
| CVE-2026-44194 | critical | 9.1 | 9.1 | 24d ago | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, an authenticated Remote Code Execution (RCE) vulnerability in the OPNsense core allows a user with user-management privileg… | |||
| CVE-2026-44193 | critical | 9.1 | 9.1 | 24d ago | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, the XMLRPC method opnsense.restore_config_section fails to sanitize user supplied input leading to Remote Code Execution. T… | |||
| CVE-2026-45714 | critical | 9.1 | 9.1 | 24d ago | CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates, Inv… | |||
| CVE-2026-45053 | critical | 9.1 | 9.1 | 24d ago | CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Arbitrary File Upload vulnerability exists in the REST API File Manager endpoint (POST /api/v1/files) of CubeCart. The end… | |||
| CVE-2026-44377 | critical | 9.1 | 9.1 | 24d ago | CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates and … | |||
| CVE-2026-44351 | critical | 9.1 | 9.1 | 24d ago | fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver |