CVEs from 2026
Total
14,786
critical
critical 1,335
high
high 5,004
medium
medium 4,828
low
low 503
% Critical
9.0%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 723
- firepower_threat_defense_software 310
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42889 | critical | 9.1 | 9.1 | 25d ago | Relay adds real-time collaboration to Obsidian. Relay Server versions 0.9.0 through 0.9.6 contain an authentication bypass in the multi-document WebSocket endpoints. When authentication is configured… | |||
| CVE-2026-44277 | critical | 9.1 | 9.1 | 25d ago | A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, FortiAuthenticator 8.0.0, FortiAuthenticator 6.6.0 through 6.6.8, FortiAuthenticator 6.5.0 through 6.5.6 may allow attack… | |||
| CVE-2026-44196 | critical | 9.1 | 9.1 | 25d ago | Pingvin Share X is a secure and easy self-hosted file sharing platform. From 1.14.1 to 1.16.2, a critical authentication bypass vulnerability allows an attacker who has obtained a valid username and … | |||
| CVE-2026-42833 | critical | 9.1 | 9.1 | 25d ago | Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network. | |||
| CVE-2026-41103 | critical | 9.1 | 9.1 | 25d ago | Incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira & Confluence allows an unauthorized attacker to elevate privileges over a network. | |||
| CVE-2026-33117 | critical | 9.1 | 9.1 | 25d ago | The Java Key Vault Keys library in the Azure SDK for Java contains an issue in the local cryptographic verification path where authentication tag comparison was implemented incorrectly. In affected a… | |||
| CVE-2026-31242 | critical | 9.1 | 9.1 | 25d ago | The mem0 v1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE r… | |||
| CVE-2026-29204 | critical | 9.1 | 9.1 | 25d ago | Insufficient ownership check in `clientarea.php` allows an authenticated client area user to submit requests using another user’s `addonId` without any ownership validation leading to unauthorized ac… | |||
| CVE-2026-43515 | critical | 9.1 | 9.1 | 25d ago | Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21,… | |||
| CVE-2026-31216 | critical | 9.1 | 9.1 | 25d ago | The nexent v1.7.5.2 backend service contains an unauthorized arbitrary storage file deletion vulnerability in its file management API. The DELETE /storage/{object_name:path} endpoint lacks authentica… | |||
| CVE-2026-31215 | critical | 9.1 | 9.1 | 25d ago | The nexent v1.7.5.2 backend service contains an unauthorized arbitrary file deletion vulnerability in its ElasticSearch service interface. The DELETE /{index_name}/documents endpoint lacks proper aut… | |||
| CVE-2026-30805 | critical | 9.1 | 9.1 | 25d ago | Insecure Default Initialization of Resource vulnerability allows Authentication Bypass via API access. This issue affects Pandora FMS: from 777 through 800 | |||
| CVE-2026-45091 | critical | 9.1 | 9.1 | 25d ago | sealed-env: TOTP secret embedded in unseal token payload (enterprise mode) | |||
| CVE-2026-27851 | critical | 9.1 | 9.1 | 25d ago | When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP … | |||
| CVE-2026-41551 | critical | 9.1 | 9.1 | 26d ago | A vulnerability has been identified in ROS# (All versions < V2.2.2). Affected versions contain a path traversal vulnerability because user input is not properly sanitized. This could allow a remote … | |||
| CVE-2026-25787 | critical | 9.1 | 9.1 | 26d ago | Affected devices do not properly validate and sanitize Technology Object (TO) name rendered on the "Motion Control Diagnostics" page of the web interface. This could allow an authenticated attacker w… | |||
| CVE-2026-25786 | critical | 9.1 | 9.1 | 26d ago | Affected devices do not properly validate and sanitize PLC/station name rendered on the "communication" parameters page of the web interface. This could allow an authenticated attacker who is author… | |||
| CVE-2026-22924 | critical | 9.1 | 9.1 | 26d ago | A vulnerability has been identified in SIMATIC CN 4100 (All versions < V5.0). The affected application does not properly restrict unauthenticated connections and is susceptible to resource exhaustion… | |||
| CVE-2026-43639 | critical | 9.1 | 9.1 | 26d ago | Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{provide… | |||
| CVE-2026-6104 | critical | 9.1 | 9.1 | 28d ago | In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectl… | |||
| CVE-2026-42560 | critical | 9.1 | 9.1 | 29d ago | auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation | |||
| CVE-2026-44313 | critical | 9.1 | 9.1 | 29d ago | Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. Prior to version 2.13.0, a Server-Side Request Forgery (SSRF) vulnerability in the f… | |||
| CVE-2026-42193 | critical | 9.1 | 9.1 | 29d ago | Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verif… | |||
| CVE-2026-44694 | critical | 9.1 | 9.1 | 29d ago | n8n-mcp webhook and API client paths has an authenticated SSRF | |||
| CVE-2026-44551 | critical | 9.1 | 9.1 | 29d ago | Open WebUI has an LDAP Empty Password Authentication Bypass | |||
| CVE-2026-44497 | critical | 9.1 | 9.1 | 29d ago | Zebra has Consensus Divergence in Transparent Sighash Hash-Type Handling due to Stale Buffer | |||
| CVE-2026-43407 | critical | 9.1 | 9.1 | 29d ago | In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() This patch fixes an out-of-bounds access in ceph_handle_a… | |||
| CVE-2026-43406 | critical | 9.1 | 9.1 | 29d ago | In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in process_message_header() If the message frame is (maliciously) corrupted in a w… | |||
| CVE-2026-41583 | critical | 9.1 | 9.1 | 29d ago | Zebra Vulnerable to Consensus Divergence in Transparent Sighash Hash-Type Handling | |||
| CVE-2026-25199 | critical | 9.1 | 9.1 | 29d ago | Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants. This issue affects Apache CloudStack: from 4.21.0.0 through 4.22.0.0. The Proxm… | |||
| CVE-2026-42264 | critical | 9.1 | 9.1 | 1mo ago | Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking | |||
| CVE-2026-41691 | critical | 9.1 | 9.1 | 1mo ago | Copilot said: i18nextify is a JavaScript library that adds i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 3… | |||
| CVE-2026-41902 | critical | 9.1 | 9.1 | 1mo ago | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/{hash} endpoint accepts a 60-character random invite_hash to set a new use… | |||
| CVE-2026-7821 | critical | 9.1 | 9.1 | 1mo ago | Improper certificate validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled… | |||
| CVE-2026-5787 | critical | 9.1 | 9.1 | 1mo ago | An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-… | |||
| CVE-2026-44603 | critical | 9.1 | 9.1 | 1mo ago | Tor before 0.4.9.7 has an out-of-bounds read by one byte via a malformed BEGIN cell, aka TROVE-2026-007. | |||
| CVE-2026-42216 | critical | 9.1 | 9.1 | 1mo ago | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3… | |||
| CVE-2026-41201 | critical | 9.1 | 9.1 | 1mo ago | CI4MS: Backup Management Full Account Takeover for All Roles & Privilege Escalation via Stored DOM Blind XSS | |||
| CVE-2026-40982 | critical | 9.1 | 9.1 | 1mo ago | Spring Cloud Config vulnerable to Path Traversal | |||
| CVE-2026-44597 | critical | 9.1 | 9.1 | 1mo ago | Tor before 0.4.9.7 has an out-of-bounds read when an END, a TRUNCATE, or a TRUNCATED cell lacks a reason in its payload, aka TROVE-2026-011. | |||
| CVE-2026-40281 | critical | 9.1 | 9.1 | 1mo ago | Gotenberg has ExifTool stdin argument injection via metadata value newlines (bypass of key sanitization fix) | |||
| CVE-2026-43578 | critical | 9.1 | 9.1 | 1mo ago | OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can… | |||
| CVE-2026-5081 | critical | 9.1 | 9.1 | 1mo ago | Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure. Apache::Session::Generate::ModUniqueId (added in version 1.54) uses the value of the UNIQUE_… | |||
| CVE-2026-43197 | critical | 9.1 | 9.1 | 1mo ago | In the Linux kernel, the following vulnerability has been resolved: netconsole: avoid OOB reads, msg is not nul-terminated msg passed to netconsole from the console subsystem is not guaranteed to b… | |||
| CVE-2026-43117 | critical | 9.1 | 9.1 | 1mo ago | In the Linux kernel, the following vulnerability has been resolved: btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file() If overlay is used on top of btrfs, dentry->d_s… | |||
| CVE-2026-43083 | critical | 9.1 | 9.1 | 1mo ago | In the Linux kernel, the following vulnerability has been resolved: net: ioam6: fix OOB and missing lock When trace->type.bit6 is set: if (trace->type.bit6) { ... queue = skb_g… | |||
| CVE-2026-40010 | critical | 9.1 | 9.1 | 1mo ago | Apache Wicket has a Session Fixation issue | |||
| CVE-2026-42608 | critical | 9.1 | 9.1 | 1mo ago | Grav has Unauthenticated Path Traversal & Arbitrary File Write in its FormFlash component | |||
| CVE-2026-43071 | critical | 9.1 | 9.1 | 1mo ago | In the Linux kernel, the following vulnerability has been resolved: dcache: Limit the minimal number of bucket to two There is an OOB read problem on dentry_hashtable when user sets 'dhash_entries=… | |||
| CVE-2026-34408 | critical | 9.1 | 9.1 | 1mo ago | An issue was discovered in Gambio 4.9.2.0 (patched in 2024-02 v1.0.0 for GX4 v4.0.0.0 to v4.9.2.0). The password reset function can be bypassed to set arbitrary passwords for arbitrary accounts if th… | |||
| CVE-2026-40682 | critical | 9.1 | 9.1 | 1mo ago | XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The DictionaryEntryPersistor … | |||
| CVE-2026-7482 | critical | 9.1 | 9.1 | 1mo ago | Ollama contains a heap out-of-bounds read vulnerability in the GGUF model loader | |||
| CVE-2026-40687 | critical | 9.1 | 9.1 | 1mo ago | In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes the connection instance, or erroneous data process… | |||
| CVE-2026-7381 | critical | 9.1 | 9.1 | 1mo ago | Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the c… | |||
| CVE-2026-40976 | critical | 9.1 | 9.1 | 1mo ago | Spring Boot's default security filter chain has no authorization rule with Actuator but without Health | |||
| CVE-2026-40971 | critical | 9.1 | 9.1 | 1mo ago | Spring Boot's RabbitMQ auto-configuration doesn't perform hostname verification when connecting to the RabbitMQ broker | |||
| CVE-2026-40514 | critical | 9.1 | 9.1 | 1mo ago | SmarterTools SmarterMail builds prior to 9610 contain a cryptographic weakness in the file and email sharing endpoints that use DES-CBC encryption with keys and initialization vectors derived from Sy… | |||
| CVE-2026-31682 | critical | 9.1 | 9.1 | 1mo ago | In the Linux kernel, the following vulnerability has been resolved: bridge: br_nd_send: linearize skb before parsing ND options br_nd_send() parses neighbour discovery options from ns->opt[] and as… | |||
| CVE-2026-41473 | critical | 9.1 | 9.1 | 1mo ago | CyberPanel versions prior to 2.4.4 contain an authentication bypass vulnerability in the AI Scanner worker API endpoints that allows unauthenticated remote attackers to write arbitrary data to the da… | |||
| CVE-2026-41248 | critical | 9.1 | 9.1 | 1mo ago | Official Clerk JavaScript SDKs: Middleware-based route protection bypass | |||
| CVE-2026-41475 | critical | 9.1 | 9.1 | 1mo ago | BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an out-of-bounds read vulnerability in bacnet-stack's WritePropertyMultiple service decoder allows … | |||
| CVE-2026-41428 | critical | 9.1 | 9.1 | 1mo ago | Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints | |||
| CVE-2026-41415 | critical | 9.1 | 9.1 | 1mo ago | PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an out-of-bounds read when parsing a malformed Content-ID URI in SIP multipart message bod… | |||
| CVE-2026-41328 | critical | 9.1 | 9.1 | 1mo ago | Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field | |||
| CVE-2026-41327 | critical | 9.1 | 9.1 | 1mo ago | Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field | |||
| CVE-2026-42044 | critical | 9.1 | 9.1 | 1mo ago | Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver` | |||
| CVE-2026-41677 | critical | 9.1 | 9.1 | 1mo ago | rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.0 to before 0.10.78, the *_from_pem_callback APIs did not validate the length returned by the user's callback. A pa… | |||
| CVE-2026-31636 | critical | 9.1 | 9.1 | 1mo ago | In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix RESPONSE authenticator parser OOB read rxgk_verify_authenticator() copies auth_len bytes into a temporary buffer and t… | |||
| CVE-2026-27843 | critical | 9.1 | 9.1 | 1mo ago | A vulnerability exists in SenseLive X3050's web management interface that allows critical configuration parameters to be modified without sufficient authentication or server-side validation. By apply… | |||
| CVE-2026-41167 | critical | 9.1 | 9.1 | 2mo ago | Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields direct… | |||
| CVE-2026-32885 | critical | 9.1 | 9.1 | 2mo ago | DDEV has ZipSlip path traversal in tar and zip archive extraction | |||
| CVE-2026-40575 | critical | 9.1 | 9.1 | 2mo ago | OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing | |||
| CVE-2026-40910 | critical | 9.1 | 9.1 | 2mo ago | frp has an authentication bypass in HTTP vhost routing when routeByHTTPUser is used for access control | |||
| CVE-2026-40903 | critical | 9.1 | 9.1 | 2mo ago | goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs has an ArtiPACKED vulnerability. ArtiPACKED can lead to leakage of the GITHUB_TOKEN through workflow artifacts, even though the… | |||
| CVE-2026-40372 | critical | 9.1 | 9.1 | 2mo ago | Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network. | |||
| CVE-2026-6257 | critical | 9.1 | 9.1 | 2mo ago | Vvveb CMS v1.0.8.2 contains a remote code execution vulnerability in its media management functionality where a missing return statement in the file rename handler allows authenticated attackers to r… | |||
| CVE-2026-6644 | critical | 9.1 | 9.1 | 2mo ago | A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary co… | |||
| CVE-2026-40324 | critical | 9.1 | 9.1 | 2mo ago | ChilliCream GraphQL Platform: Utf8GraphQLParser Stack Overflow via Deeply Nested GraphQL Documents | |||
| CVE-2026-5720 | critical | 9.1 | 9.1 | 2mo ago | miniupnpd contains an integer underflow vulnerability in SOAPAction header parsing that allows remote attackers to cause a denial of service or information disclosure by sending a malformed SOAPActio… | |||
| CVE-2026-40258 | critical | 9.1 | 9.1 | 2mo ago | gramps-webapi: Zip Slip Path Traversal in Media Archive Import | |||
| CVE-2026-23500 | critical | 9.1 | 9.1 | 2mo ago | Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration | |||
| CVE-2026-40525 | critical | 9.1 | 9.1 | 2mo ago | OpenViking: Unauthenticated remote bot control via OpenAPI HTTP routes | |||
| CVE-2026-40518 | critical | 9.1 | 9.1 | 2mo ago | ByteDance DeerFlow before commit 2176b2b contains a path traversal and arbitrary file write vulnerability in bootstrap-mode custom-agent creation where the agent name validation is bypassed. Attacker… | |||
| CVE-2026-5426 | critical | 9.1 | 9.1 | 2mo ago | Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remot… | |||
| CVE-2026-33804 | critical | 9.1 | 9.1 | 2mo ago | @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option | |||
| CVE-2026-6270 | critical | 9.1 | 9.1 | 2mo ago | @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes | |||
| CVE-2026-33808 | critical | 9.1 | 9.1 | 2mo ago | Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-… | |||
| CVE-2026-33807 | critical | 9.1 | 9.1 | 2mo ago | @fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is register… | |||
| CVE-2026-25209 | critical | 9.1 | 9.1 | 2mo ago | Out-of-bounds read vulnerability in Samsung Open Source Escargot allows Resource Leak Exposure.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335. | |||
| CVE-2026-25206 | critical | 9.1 | 9.1 | 2mo ago | Out-of-bounds read vulnerability in Samsung Open Source Escargot allows Resource Leak Exposure.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335. | |||
| CVE-2026-5393 | critical | 9.1 | 9.1 | 2mo ago | Dual-Algorithm CertificateVerify out-of-bounds read. When processing a dual-algorithm CertificateVerify message, an out-of-bounds read can occur on crafted input. This can only occur when --enable-ex… | |||
| CVE-2026-5194 | critical | 9.1 | 9.1 | 2mo ago | Missing hash/digest size and OID checks allow digests smaller than allowed when verifying ECDSA certificates, or smaller than is appropriate for the relevant key type, to be accepted by signature ver… | |||
| CVE-2026-5574 | critical | 9.1 | 9.1 | 2mo ago | A security vulnerability has been detected in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. Affected is the function deletefile of the component FsBrowseClean. The manipulation of the argument dir/pa… | |||
| CVE-2026-23455 | critical | 9.1 | 9.1 | 2mo ago | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() In DecodeQ931(), the UserUserIE code path reads a 16-bit leng… | |||
| CVE-2026-32211 | critical | 9.1 | 9.1 | 2mo ago | Missing authentication for critical function in Azure MCP Server allows an unauthorized attacker to disclose information over a network. | |||
| CVE-2026-34873 | critical | 9.1 | 9.1 | 2mo ago | An issue was discovered in Mbed TLS 3.5.0 through 4.0.0. Client impersonation can occur while resuming a TLS 1.3 session. | |||
| CVE-2026-27071 | critical | 9.1 | 9.1 | 2mo ago | Missing Authorization vulnerability in Arraytics WPCafe wp-cafe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCafe: from n/a through <= 3.0.7. | |||
| CVE-2026-4753 | critical | 9.1 | 9.1 | 3mo ago | Out-of-bounds Read vulnerability in slajerek RetroDebugger.This issue affects RetroDebugger: before v0.64.72. | |||
| CVE-2026-4750 | critical | 9.1 | 9.1 | 3mo ago | Out-of-bounds Read vulnerability in fabiangreffrath woof.This issue affects woof: before woof_15.3.0. | |||
| CVE-2026-4601 | critical | 9.1 | 9.1 | 3mo ago | jsrsasign: Missing cryptographic validation during DSA signing enables private key extraction |