CVEs from 2026
Total
14,766
critical
critical 1,333
high
high 4,995
medium
medium 4,817
low
low 502
% Critical
9.0%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 723
- firepower_threat_defense_software 310
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-45779 | unknown | — | — | 12h ago | OpenXDMoD is an open framework for collecting and analyzing HPC metrics. An SQL injection vulnerability exists in Open XDMoD versions prior to 10.0.3 that allows an unauthenticated remote attacker to… | |||
| CVE-2026-45778 | unknown | — | — | 12h ago | OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, an authenticated attacker can inject malicious JavaScript into their Open XDMoD user profile and abus… | |||
| CVE-2026-45777 | unknown | — | — | 12h ago | OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Starting in version 9.5.0 and prior to version 11.0.3, an attacker can remotely execute arbitrary system commands on the web s… | |||
| CVE-2026-11420 | unknown | — | — | 12h ago | Two path traversal vulnerabilities in the Network Installation Service (NIS) of Altium Enterprise Server allow an unauthenticated network attacker to write arbitrary files to any writable location on… | |||
| CVE-2026-11419 | unknown | — | — | 12h ago | A path traversal vulnerability exists in the Altium Enterprise Server Vault Service UploadController due to improper validation of a user-controlled path component in image upload requests. An authen… | |||
| CVE-2026-45776 | unknown | — | — | 12h ago | OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, a flaw in Open XDMoD's access control logic allows an attacker to submit a crafted HTTPS POST request… | |||
| CVE-2026-46401 | unknown | — | — | 13h ago | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.0 suffer from an improper session termination vulnerability where authentication tokens remain valid after … | |||
| CVE-2026-46399 | unknown | — | — | 13h ago | HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this… | |||
| CVE-2026-46394 | unknown | — | — | 13h ago | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an OS command injection vulnerability exists in the Git.php library of the HAXcms PHP backend. The applic… | |||
| CVE-2026-46390 | unknown | — | — | 13h ago | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 2.0.0 and prior to version 26.0.0, the gitlist plugin is exposed to unauthenticated users, allowing unauthenti… | |||
| CVE-2026-46400 | unknown | — | — | 13h ago | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 11.0.6 and prior to version 25.0.0, the file upload functionality in HAXCMS PHP only validates file extensions… | |||
| CVE-2026-46398 | unknown | — | — | 13h ago | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 25.0.0 and prior to version 26.0.0, the haxcms_refresh_token cookie is set without the Secure flag. This allow… | |||
| CVE-2026-11414 | unknown | — | — | 13h ago | A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the Vault service. Because the key is identical across all installations, an unauthenticated network a… | |||
| CVE-2026-47731 | unknown | — | — | 14h ago | NASA AMMOS Instrument Toolkit: Path traversal resulting in arbitrary file append (can be triggered over the network by unauthenticated attacker) | |||
| CVE-2026-8714 | unknown | — | — | 15h ago | A denial-of-service vulnerability exists in the RTSP server component of TP-Link Tapo C520WS v2 due to improper handling of syntactically invalid input. Crafted inputs can trigger a processing error… | |||
| CVE-2026-49343 | unknown | — | — | 15h ago | Klever-Go KVM: Throttler slot leak in trie account-data sync causes epoch bootstrap / state sync DoS | |||
| CVE-2026-48017 | unknown | — | — | 15h ago | DbGate: Remote Code Execution via functionName injection in loadReader endpoint | |||
| CVE-2026-47684 | unknown | — | — | 15h ago | Sync-in Server: SSRF protection bypass via IPv4-mapped IPv6 addresses in regExpPrivateIP | |||
| CVE-2026-47680 | unknown | — | — | 15h ago | Source controller: Improper path handling allows traversal | |||
| CVE-2026-47670 | unknown | — | — | 15h ago | Authenticated Remote Code Execution via loadReader functionName code injection in DbGate | |||
| CVE-2026-47419 | unknown | — | — | 15h ago | praisonai-platform: Agent endpoints accept any agent_id without workspace ownership check, cross-workspace read/update/delete IDOR | |||
| CVE-2026-47669 | unknown | — | — | 15h ago | DbGate: Zip Slip in archive/unzip allows arbitrary file write leading to RCE | |||
| CVE-2026-47668 | unknown | — | — | 15h ago | DbGate: Unauthenticated Remote Code Execution via JSON Script Runner | |||
| CVE-2026-47388 | unknown | — | — | 16h ago | NocoDB: Missing Ownership Check in MCP Attachment Read | |||
| CVE-2026-47387 | unknown | — | — | 16h ago | NocoDB: Stored Cross-Site Scripting via Form View Redirect URL | |||
| CVE-2026-47386 | unknown | — | — | 16h ago | NocoDB: OAuth Authorization Code Race Condition | |||
| CVE-2026-47385 | unknown | — | — | 16h ago | NocoDB: Path Traversal via SQLite Source Filename | |||
| CVE-2026-47384 | unknown | — | — | 16h ago | NocoDB: SQL Injection via Column Title in Bulk GroupBy | |||
| CVE-2026-47383 | unknown | — | — | 16h ago | NocoDB: Stored Cross-Site Scripting via Row Comments | |||
| CVE-2026-47382 | unknown | — | — | 16h ago | NocoDB: Server-Side Request Forgery via Database Connection Host | |||
| CVE-2026-9270 | unknown | — | — | 16h ago | DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The send_s… | |||
| CVE-2026-11362 | unknown | — | — | 16h ago | DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sour… | |||
| CVE-2026-47381 | unknown | — | — | 16h ago | NocoDB: Cross-Workspace Integration Use in Connection Test | |||
| CVE-2026-47380 | unknown | — | — | 16h ago | NocoDB: User Enumeration via Sign-In Timing | |||
| CVE-2026-47379 | unknown | — | — | 16h ago | NocoDB: Plaintext Password Comparison in Shared Views | |||
| CVE-2026-47378 | unknown | — | — | 16h ago | NocoDB: Hidden Column Exposure in Public Shared View Endpoints | |||
| CVE-2026-47377 | unknown | — | — | 16h ago | NocoDB: Open Redirect via Hash Fragment in hashRedirect Plugin | |||
| CVE-2026-47376 | unknown | — | — | 16h ago | NocoDB: Reflected Cross-Site Scripting via Password Reset Token | |||
| CVE-2026-47375 | unknown | — | — | 16h ago | NocoDB: Postgres SQL Injection in Formula `ARRAYSORT` | |||
| CVE-2026-47279 | unknown | — | — | 16h ago | NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints | |||
| CVE-2026-47250 | unknown | — | — | 16h ago | MCP Server Kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration | |||
| CVE-2026-47249 | unknown | — | — | 16h ago | Klever-Go KVM: Hash-array amplification in P2P resolver request handling | |||
| CVE-2026-45726 | unknown | — | — | 16h ago | Omni: Reader-level users can retrieve imported cluster CA keys via ResourceService | |||
| CVE-2026-45723 | unknown | — | — | 16h ago | Omni: Operator can traverse image-factory API paths via unsanitized `talos_version` in CreateSchematic | |||
| CVE-2026-45720 | unknown | — | — | 16h ago | Omni has a TOCTOU race condition that allows multiple concurrent uses of a single-use SAML session token | |||
| CVE-2026-38579 | unknown | — | — | 17h ago | Multiple reflected Cross-Site Scripting (XSS) vulnerabilities in damasac thaipalliative_lte through version 3.0 allow remote attackers to inject arbitrary web script or HTML via the idFormMain parame… | |||
| CVE-2026-10879 | unknown | — | — | 17h ago | DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders. The preparse method expands SQL placeholder characters to numbered binders of the for… | |||
| CVE-2026-38500 | unknown | — | — | 18h ago | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||
| CVE-2026-11369 | unknown | — | — | 18h ago | The Comment API (GET /api/Comment and POST /api/Comment) in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by th… | |||
| CVE-2026-25659 | unknown | — | — | 20h ago | Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Missing Values (CWE-230) vulnerability where an attacker continuously sending a specially crafted message can… | |||
| CVE-2026-25658 | unknown | — | — | 20h ago | Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Missing Values (CWE-230) vulnerability where an attacker continuously sending a specially crafted message can… | |||
| CVE-2026-25657 | unknown | — | — | 20h ago | Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Syntactically Invalid Structure (CWE-228) vulnerability where an attacker continuously sending a specially cr… | |||
| CVE-2026-11346 | unknown | — | — | 20h ago | A Server-Side Request Forgery (SSRF) vulnerability in the custom process creation feature of linqi allows an authenticated attacker to probe internal network components. By crafting a specific proces… | |||
| CVE-2026-11345 | unknown | — | — | 20h ago | An Improper Authentication vulnerability in the /api/Cdn/GetFile endpoint of linqi allows unauthenticated, remote attackers to bypass file access controls. The ValidateAnonFileAccess function incorre… | |||
| CVE-2026-8914 | unknown | — | — | 21h ago | In Teltonika Networks RUTOS devices, running versions 7.22 through 7.23.2 and TSWOS devices running versions 1.09 through 1.09.1, due to unsafe calls to an eval function in rpc-profile, a vulnerabili… | |||
| CVE-2026-21038 | unknown | — | — | 21h ago | Improper input validation in Samsung Android USB Driver for Windows prior to version 1.9.5.0 allows local attacker to access out-of-bounds memory. | |||
| CVE-2026-21037 | unknown | — | — | 21h ago | Improper input validation in Samsung Members prior to version 5.8.01.5 allows local attackers to access arbitrary URL and launch arbitrary activity with Samsung Members privilege. | |||
| CVE-2026-21036 | unknown | — | — | 21h ago | Improper authorization in Samsung Internet prior to version 30.0.0.39 allows local attackers to access sensitive information. | |||
| CVE-2026-21035 | unknown | — | — | 21h ago | Improper input validation in Samsung Plus TV prior to version 1.0.28.6 allows remote attackers to access sensitive information. | |||
| CVE-2026-21034 | unknown | — | — | 21h ago | Improper export of android application components in Samsung Auto prior to version 3.1.2.61 in Android 15 and 3.2.0.38 in Android 16 allows local attacker to change audio configuration. | |||
| CVE-2026-21033 | unknown | — | — | 21h ago | Improper export of android application components in ExpressHomeWidgetReceiver of Samsung Assistant prior to version 9.3.14 allows local attacker to execute arbitrary script. | |||
| CVE-2026-21032 | unknown | — | — | 21h ago | Improper export of android application components in SmartHomeWidgetReceiver of Samsung Assistant prior to version 9.3.14 allows local attacker to execute arbitrary script. | |||
| CVE-2026-11347 | unknown | — | — | 21h ago | The linqi application contains hardcoded cryptographic keys. Additionally, the application uses a weak algorithm with a limited ASCII charset to dynamically generate Initialization Vectors (IVs) for … | |||
| CVE-2026-48907 | unknown | — | — | 1d ago | A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution. | |||
| CVE-2026-21837 | unknown | — | — | 1d ago | HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API. An attacker may execute arbitrary operating system commands, typically inheriting the… | |||
| CVE-2026-11326 | unknown | — | — | 1d ago | OpenAI Atlas before 1.2025.288.15 exposed privileged browser APIs to web content on *.openai.com origins. A cross-site scripting vulnerability in forum.openai.com could be used to access these functi… | |||
| CVE-2026-36500 | unknown | — | — | 1d ago | An issue in the cluster-admin:backup-datastore component of Controller v12.0.5 allows attackers to execute a directory traversal via a crafted request. | |||
| CVE-2026-36501 | unknown | — | — | 1d ago | An issue in the Externalizable.readExternal() component of Controller v12.0.5 allows attackers to cause a Denial of Service (DoS) via a crafted input. | |||
| CVE-2026-11211 | unknown | — | — | 1d ago | Integer overflow in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | |||
| CVE-2026-11128 | unknown | — | — | 1d ago | Inappropriate implementation in Web Share in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a craf… | |||
| CVE-2026-11127 | unknown | — | — | 1d ago | Inappropriate implementation in WebAPKs in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform domain spoofing via a crafted WebAPK. (Chromium security severity: Medi… | |||
| CVE-2026-11126 | unknown | — | — | 1d ago | Inappropriate implementation in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chro… | |||
| CVE-2026-11124 | unknown | — | — | 1d ago | Integer overflow in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | |||
| CVE-2026-11123 | unknown | — | — | 1d ago | Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium securit… | |||
| CVE-2026-11122 | unknown | — | — | 1d ago | Inappropriate implementation in Keyboard in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security sever… | |||
| CVE-2026-11121 | unknown | — | — | 1d ago | Insufficient validation of untrusted input in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted H… | |||
| CVE-2026-11029 | unknown | — | — | 1d ago | Insufficient validation of untrusted input in Drag and Drop in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perfor… | |||
| CVE-2026-11025 | unknown | — | — | 1d ago | Insufficient policy enforcement in Navigation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium securit… | |||
| CVE-2026-11024 | unknown | — | — | 1d ago | Stack buffer overflow in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page. (Chromium security severity: Medium) | |||
| CVE-2026-11023 | unknown | — | — | 1d ago | Inappropriate implementation in WebAppInstalls in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HT… | |||
| CVE-2026-11022 | unknown | — | — | 1d ago | Insufficient validation of untrusted input in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a cr… | |||
| CVE-2026-11021 | unknown | — | — | 1d ago | Insufficient validation of untrusted input in GPU in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbo… | |||
| CVE-2026-11020 | unknown | — | — | 1d ago | Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted XML file. (Chromium security severity: Medium) | |||
| CVE-2026-11019 | unknown | — | — | 1d ago | Inappropriate implementation in Payments in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform domain spoofing via a crafted… | |||
| CVE-2026-11018 | unknown | — | — | 1d ago | Insufficient policy enforcement in Actor in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medi… | |||
| CVE-2026-11017 | unknown | — | — | 1d ago | Inappropriate implementation in Link Preview in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted… | |||
| CVE-2026-11016 | unknown | — | — | 1d ago | Insufficient validation of untrusted input in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a cra… | |||
| CVE-2026-11015 | unknown | — | — | 1d ago | Out of bounds read in WebGPU in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) | |||
| CVE-2026-11014 | unknown | — | — | 1d ago | Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass site isolation via a crafted … | |||
| CVE-2026-11013 | unknown | — | — | 1d ago | Insufficient validation of untrusted input in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive inform… | |||
| CVE-2026-11012 | unknown | — | — | 1d ago | Use after free in Serial in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HT… | |||
| CVE-2026-11011 | unknown | — | — | 1d ago | Insufficient policy enforcement in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted H… | |||
| CVE-2026-11010 | unknown | — | — | 1d ago | Use after free in WebShare in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted … | |||
| CVE-2026-11009 | unknown | — | — | 1d ago | Use after free in USB in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | |||
| CVE-2026-11008 | unknown | — | — | 1d ago | Insufficient validation of untrusted input in WebAppInstalls in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a… | |||
| CVE-2026-11007 | unknown | — | — | 1d ago | Insufficient validation of untrusted input in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data v… | |||
| CVE-2026-11006 | unknown | — | — | 1d ago | Out of bounds read in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) | |||
| CVE-2026-11005 | unknown | — | — | 1d ago | Out of bounds read in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from proc… | |||
| CVE-2026-11004 | unknown | — | — | 1d ago | Out of bounds read in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory … | |||
| CVE-2026-47708 | unknown | — | — | 1d ago | MCP-for-Stata: Command injection via log_file_name parameter in Stata command wrapper |