CVEs from 2026
Total
14,243
critical
critical 1,265
high
high 4,749
medium
medium 4,561
low
low 495
% Critical
8.9%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 522
- firepower_threat_defense_software 300
- firepower_threat_defense 298
- gcp 247
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-39833 | critical | 9.1 | 9.1 | 14d ago | The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indicatio… | |||
| CVE-2026-39832 | critical | 9.1 | 9.1 | 14d ago | When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forward… | |||
| CVE-2026-39831 | critical | 9.1 | 9.1 | 14d ago | The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch … | |||
| CVE-2026-39830 | critical | 9.1 | 9.1 | 14d ago | A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), r… | |||
| CVE-2026-33000 | critical | 9.1 | 9.1 | 14d ago | A malicious actor with access to the network and high privileges could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection. | |||
| CVE-2026-5433 | critical | 9.1 | 9.1 | 15d ago | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | |||
| CVE-2026-47372 | critical | 9.1 | 9.1 | 15d ago | Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts. These versions use the built-in rand function, which is predictable and unsuitable for cryptography. | |||
| CVE-2026-8598 | critical | 9.1 | 9.1 | 15d ago | An undocumented configuration export port is accessible on some models of ZKTeco CCTV cameras. This port does not require authentication and exposes critical information about the camera such as op… | |||
| CVE-2026-8602 | critical | 9.1 | 9.1 | 16d ago | In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sen… | |||
| CVE-2026-31071 | critical | 9.1 | 9.1 | 16d ago | API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records (including bcrypt p… | |||
| CVE-2026-2586 | critical | 9.1 | 9.1 | 16d ago | GlassFish's Administration Console is Vulnerable to RCE | |||
| CVE-2026-8948 | critical | 9.1 | 9.1 | 16d ago | Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | |||
| CVE-2026-41919 | critical | 9.1 | 9.1 | 17d ago | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrad… | |||
| CVE-2026-31986 | critical | 9.1 | 9.1 | 17d ago | Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | |||
| CVE-2026-45230 | critical | 9.1 | 9.1 | 17d ago | DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary fi… | |||
| CVE-2026-41947 | critical | 9.1 | 9.1 | 17d ago | Dify before version 1.14.2 contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant owners… | |||
| CVE-2026-7302 | critical | 9.1 | 9.1 | 18d ago | SGLang's multimodal generation runtime has an unauthenticated path traversal vulnerability | |||
| CVE-2026-8757 | critical | 9.1 | 9.1 | 18d ago | A vulnerability was found in adenhq hive up to 0.11.0. This affects the function _read_events_tail of the file core/framework/server/routes_sessions.py of the component Delete Request Handler. Perfor… | |||
| CVE-2026-8686 | critical | 9.1 | 9.1 | 20d ago | Missing bounds validation in the MQTT v5.0 property parser in coreMQTT before 5.0.1 allows an MQTT broker to cause a denial of service by sending a crafted packet. To remediate this issue, users s… | |||
| CVE-2026-45010 | critical | 9.1 | 9.1 | 20d ago | phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session bind… | |||
| CVE-2026-41258 | critical | 9.1 | 9.1 | 20d ago | OpenMRS has Stored Velocity SSTI to RCE via ConceptReferenceRange | |||
| CVE-2026-45787 | critical | 9.1 | 9.1 | 21d ago | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to 3.9.5, deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and no MAC leads to confid… | |||
| CVE-2026-8634 | critical | 9.1 | 9.1 | 21d ago | Crabbox: environment variable exposure vulnerability | |||
| CVE-2026-46470 | critical | 9.1 | 9.1 | 21d ago | An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_audio_caps function does not sufficiently validate atom data before per… | |||
| CVE-2026-44542 | critical | 9.1 | 9.1 | 21d ago | FileBrowser Public Share DELETE API Path Traversal Allows Unauthenticated Arbitrary File Deletion | |||
| CVE-2026-42555 | critical | 9.1 | 9.1 | 21d ago | Valtimo has SpEL injection via StandardEvaluationContext that allows Remote Code Execution by admin users | |||
| CVE-2026-6512 | critical | 9.1 | 9.1 | 22d ago | The InfusedWoo Pro plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.2. This is due to the plugin not properly verifying that a user is authorized t… | |||
| CVE-2026-45158 | critical | 9.1 | 9.1 | 22d ago | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the configured interface, which is processed by a shell scrip… | |||
| CVE-2026-44194 | critical | 9.1 | 9.1 | 22d ago | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, an authenticated Remote Code Execution (RCE) vulnerability in the OPNsense core allows a user with user-management privileg… | |||
| CVE-2026-44193 | critical | 9.1 | 9.1 | 22d ago | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, the XMLRPC method opnsense.restore_config_section fails to sanitize user supplied input leading to Remote Code Execution. T… | |||
| CVE-2026-45714 | critical | 9.1 | 9.1 | 22d ago | CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates, Inv… | |||
| CVE-2026-45053 | critical | 9.1 | 9.1 | 22d ago | CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Arbitrary File Upload vulnerability exists in the REST API File Manager endpoint (POST /api/v1/files) of CubeCart. The end… | |||
| CVE-2026-44377 | critical | 9.1 | 9.1 | 22d ago | CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates and … | |||
| CVE-2026-44351 | critical | 9.1 | 9.1 | 22d ago | fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver | |||
| CVE-2026-42584 | critical | 9.1 | 9.1 | 22d ago | Netty has HttpClientCodec response desynchronization | |||
| CVE-2026-42579 | critical | 9.1 | 9.1 | 22d ago | Netty has a DNS Codec Input Validation Bypass (Encoder + Decoder) | |||
| CVE-2026-42032 | critical | 9.1 | 9.1 | 22d ago | CKAN has Unauthenticated Authorization Bypass in `datastore_search_sql` | |||
| CVE-2026-44007 | critical | 9.1 | 9.1 | 22d ago | vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution | |||
| CVE-2026-41225 | critical | 9.1 | 9.1 | 22d ago | A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands. Note… | |||
| CVE-2026-44650 | critical | 9.1 | 9.1 | 23d ago | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0,… | |||
| CVE-2026-42889 | critical | 9.1 | 9.1 | 23d ago | Relay adds real-time collaboration to Obsidian. Relay Server versions 0.9.0 through 0.9.6 contain an authentication bypass in the multi-document WebSocket endpoints. When authentication is configured… | |||
| CVE-2026-44277 | critical | 9.1 | 9.1 | 23d ago | A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, FortiAuthenticator 8.0.0, FortiAuthenticator 6.6.0 through 6.6.8, FortiAuthenticator 6.5.0 through 6.5.6 may allow attack… | |||
| CVE-2026-44196 | critical | 9.1 | 9.1 | 23d ago | Pingvin Share X is a secure and easy self-hosted file sharing platform. From 1.14.1 to 1.16.2, a critical authentication bypass vulnerability allows an attacker who has obtained a valid username and … | |||
| CVE-2026-42833 | critical | 9.1 | 9.1 | 23d ago | Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network. | |||
| CVE-2026-41103 | critical | 9.1 | 9.1 | 23d ago | Incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira & Confluence allows an unauthorized attacker to elevate privileges over a network. | |||
| CVE-2026-33117 | critical | 9.1 | 9.1 | 23d ago | Security feature bypass vulnerability in Azure Key Vault Keys library for Java | |||
| CVE-2026-31242 | critical | 9.1 | 9.1 | 23d ago | The mem0 v1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE r… | |||
| CVE-2026-29204 | critical | 9.1 | 9.1 | 23d ago | Insufficient ownership check in `clientarea.php` allows an authenticated client area user to submit requests using another user’s `addonId` without any ownership validation leading to unauthorized ac… | |||
| CVE-2026-43515 | critical | 9.1 | 9.1 | 23d ago | Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21,… | |||
| CVE-2026-31216 | critical | 9.1 | 9.1 | 23d ago | The nexent v1.7.5.2 backend service contains an unauthorized arbitrary storage file deletion vulnerability in its file management API. The DELETE /storage/{object_name:path} endpoint lacks authentica… | |||
| CVE-2026-31215 | critical | 9.1 | 9.1 | 23d ago | The nexent v1.7.5.2 backend service contains an unauthorized arbitrary file deletion vulnerability in its ElasticSearch service interface. The DELETE /{index_name}/documents endpoint lacks proper aut… | |||
| CVE-2026-30805 | critical | 9.1 | 9.1 | 23d ago | Insecure Default Initialization of Resource vulnerability allows Authentication Bypass via API access. This issue affects Pandora FMS: from 777 through 800 | |||
| CVE-2026-45091 | critical | 9.1 | 9.1 | 23d ago | sealed-env: TOTP secret embedded in unseal token payload (enterprise mode) | |||
| CVE-2026-27851 | critical | 9.1 | 9.1 | 23d ago | When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP … | |||
| CVE-2026-41551 | critical | 9.1 | 9.1 | 24d ago | A vulnerability has been identified in ROS# (All versions < V2.2.2). Affected versions contain a path traversal vulnerability because user input is not properly sanitized. This could allow a remote … | |||
| CVE-2026-25787 | critical | 9.1 | 9.1 | 24d ago | Affected devices do not properly validate and sanitize Technology Object (TO) name rendered on the "Motion Control Diagnostics" page of the web interface. This could allow an authenticated attacker w… | |||
| CVE-2026-25786 | critical | 9.1 | 9.1 | 24d ago | Affected devices do not properly validate and sanitize PLC/station name rendered on the "communication" parameters page of the web interface. This could allow an authenticated attacker who is author… | |||
| CVE-2026-22924 | critical | 9.1 | 9.1 | 24d ago | A vulnerability has been identified in SIMATIC CN 4100 (All versions < V5.0). The affected application does not properly restrict unauthenticated connections and is susceptible to resource exhaustion… | |||
| CVE-2026-43639 | critical | 9.1 | 9.1 | 24d ago | Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{provide… | |||
| CVE-2026-6104 | critical | 9.1 | 9.1 | 26d ago | In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectl… | |||
| CVE-2026-42560 | critical | 9.1 | 9.1 | 27d ago | auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation | |||
| CVE-2026-44313 | critical | 9.1 | 9.1 | 27d ago | Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. Prior to version 2.13.0, a Server-Side Request Forgery (SSRF) vulnerability in the f… | |||
| CVE-2026-42193 | critical | 9.1 | 9.1 | 27d ago | Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verif… | |||
| CVE-2026-44694 | critical | 9.1 | 9.1 | 27d ago | n8n-mcp webhook and API client paths has an authenticated SSRF | |||
| CVE-2026-44551 | critical | 9.1 | 9.1 | 27d ago | Open WebUI has an LDAP Empty Password Authentication Bypass | |||
| CVE-2026-44497 | critical | 9.1 | 9.1 | 27d ago | Zebra has Consensus Divergence in Transparent Sighash Hash-Type Handling due to Stale Buffer | |||
| CVE-2026-43407 | critical | 9.1 | 9.1 | 27d ago | In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() This patch fixes an out-of-bounds access in ceph_handle_a… | |||
| CVE-2026-43406 | critical | 9.1 | 9.1 | 27d ago | In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in process_message_header() If the message frame is (maliciously) corrupted in a w… | |||
| CVE-2026-41583 | critical | 9.1 | 9.1 | 27d ago | Zebra Vulnerable to Consensus Divergence in Transparent Sighash Hash-Type Handling | |||
| CVE-2026-25199 | critical | 9.1 | 9.1 | 28d ago | Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants. This issue affects Apache CloudStack: from 4.21.0.0 through 4.22.0.0. The Proxm… | |||
| CVE-2026-42264 | critical | 9.1 | 9.1 | 28d ago | Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking | |||
| CVE-2026-41691 | critical | 9.1 | 9.1 | 28d ago | Copilot said: i18nextify is a JavaScript library that adds i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 3… | |||
| CVE-2026-41902 | critical | 9.1 | 9.1 | 28d ago | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/{hash} endpoint accepts a 60-character random invite_hash to set a new use… | |||
| CVE-2026-7821 | critical | 9.1 | 9.1 | 28d ago | Improper certificate validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled… | |||
| CVE-2026-5787 | critical | 9.1 | 9.1 | 28d ago | An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-… | |||
| CVE-2026-44603 | critical | 9.1 | 9.1 | 29d ago | Tor before 0.4.9.7 has an out-of-bounds read by one byte via a malformed BEGIN cell, aka TROVE-2026-007. | |||
| CVE-2026-42216 | critical | 9.1 | 9.1 | 29d ago | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3… | |||
| CVE-2026-41201 | critical | 9.1 | 9.1 | 29d ago | CI4MS: Backup Management Full Account Takeover for All Roles & Privilege Escalation via Stored DOM Blind XSS | |||
| CVE-2026-40982 | critical | 9.1 | 9.1 | 29d ago | Spring Cloud Config vulnerable to Path Traversal | |||
| CVE-2026-44597 | critical | 9.1 | 9.1 | 29d ago | Tor before 0.4.9.7 has an out-of-bounds read when an END, a TRUNCATE, or a TRUNCATED cell lacks a reason in its payload, aka TROVE-2026-011. | |||
| CVE-2026-40281 | critical | 9.1 | 9.1 | 29d ago | Gotenberg has ExifTool stdin argument injection via metadata value newlines (bypass of key sanitization fix) | |||
| CVE-2026-43578 | critical | 9.1 | 9.1 | 29d ago | OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can… | |||
| CVE-2026-5081 | critical | 9.1 | 9.1 | 1mo ago | Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure. Apache::Session::Generate::ModUniqueId (added in version 1.54) uses the value of the UNIQUE_… | |||
| CVE-2026-43197 | critical | 9.1 | 9.1 | 1mo ago | In the Linux kernel, the following vulnerability has been resolved: netconsole: avoid OOB reads, msg is not nul-terminated msg passed to netconsole from the console subsystem is not guaranteed to b… | |||
| CVE-2026-43117 | critical | 9.1 | 9.1 | 1mo ago | In the Linux kernel, the following vulnerability has been resolved: btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file() If overlay is used on top of btrfs, dentry->d_s… | |||
| CVE-2026-43083 | critical | 9.1 | 9.1 | 1mo ago | In the Linux kernel, the following vulnerability has been resolved: net: ioam6: fix OOB and missing lock When trace->type.bit6 is set: if (trace->type.bit6) { ... queue = skb_g… | |||
| CVE-2026-40010 | critical | 9.1 | 9.1 | 1mo ago | Apache Wicket has a Session Fixation issue | |||
| CVE-2026-42608 | critical | 9.1 | 9.1 | 1mo ago | Grav has Unauthenticated Path Traversal & Arbitrary File Write in its FormFlash component | |||
| CVE-2026-43071 | critical | 9.1 | 9.1 | 1mo ago | In the Linux kernel, the following vulnerability has been resolved: dcache: Limit the minimal number of bucket to two There is an OOB read problem on dentry_hashtable when user sets 'dhash_entries=… | |||
| CVE-2026-34408 | critical | 9.1 | 9.1 | 1mo ago | An issue was discovered in Gambio 4.9.2.0 (patched in 2024-02 v1.0.0 for GX4 v4.0.0.0 to v4.9.2.0). The password reset function can be bypassed to set arbitrary passwords for arbitrary accounts if th… | |||
| CVE-2026-40682 | critical | 9.1 | 9.1 | 1mo ago | XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The DictionaryEntryPersistor … | |||
| CVE-2026-7482 | critical | 9.1 | 9.1 | 1mo ago | Ollama contains a heap out-of-bounds read vulnerability in the GGUF model loader | |||
| CVE-2026-42471 | high | 8.1 | 9.1 | 1mo ago | Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client (Connection.php:76) calls unserialize() on data received from the server response, enabling client-sid… | |||
| CVE-2026-40687 | critical | 9.1 | 9.1 | 1mo ago | In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes the connection instance, or erroneous data process… | |||
| CVE-2026-7381 | critical | 9.1 | 9.1 | 1mo ago | Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the c… | |||
| CVE-2026-40976 | critical | 9.1 | 9.1 | 1mo ago | Spring Boot's default security filter chain has no authorization rule with Actuator but without Health | |||
| CVE-2026-40971 | critical | 9.1 | 9.1 | 1mo ago | Spring Boot's RabbitMQ auto-configuration doesn't perform hostname verification when connecting to the RabbitMQ broker | |||
| CVE-2026-40514 | critical | 9.1 | 9.1 | 1mo ago | SmarterTools SmarterMail builds prior to 9610 contain a cryptographic weakness in the file and email sharing endpoints that use DES-CBC encryption with keys and initialization vectors derived from Sy… | |||
| CVE-2026-31682 | critical | 9.1 | 9.1 | 1mo ago | In the Linux kernel, the following vulnerability has been resolved: bridge: br_nd_send: linearize skb before parsing ND options br_nd_send() parses neighbour discovery options from ns->opt[] and as… | |||
| CVE-2026-41473 | critical | 9.1 | 9.1 | 1mo ago | CyberPanel versions prior to 2.4.4 contain an authentication bypass vulnerability in the AI Scanner worker API endpoints that allows unauthenticated remote attackers to write arbitrary data to the da… |