CVEs from 2026
Total
14,786
critical
critical 1,335
high
high 5,004
medium
medium 4,828
low
low 503
% Critical
9.0%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 723
- firepower_threat_defense_software 310
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-36785 | unknown | — | — | 23h ago | Shenzhen Tenda Technology Co., Ltd Tenda FH451 V1.0.0.9 was discovered to contain a stack overflow in the page parameter of the fromDhcpListClient function. This vulnerability allows attackers to cau… | |||
| CVE-2026-11423 | unknown | — | — | 23h ago | A path traversal vulnerability exists in the Altium Enterprise Server Collaboration Service due to improper handling of user-supplied filenames in the MCAD and Simulation file download flows. A regul… | |||
| CVE-2026-11431 | unknown | — | — | 23h ago | A path traversal vulnerability exists in the Projects Service download endpoint shared by Altium Enterprise Server and Altium 365. An authenticated user can supply a crafted path parameter that bypas… | |||
| CVE-2026-11429 | unknown | — | — | 23h ago | A path traversal vulnerability exists in the Git Service component shared by Altium Enterprise Server and Altium 365. The service accepts a sequence of post-clone file-manipulation operations that us… | |||
| CVE-2026-11424 | unknown | — | — | 23h ago | A server-side request forgery (SSRF) vulnerability exists in a GraphQL service component shared by Altium Enterprise Server and Altium 365. An authenticated user can submit a request whose input is t… | |||
| CVE-2026-47743 | unknown | — | — | 23h ago | Shopper: Multiple data integrity and disclosure issues in admin Livewire components | |||
| CVE-2026-45779 | unknown | — | — | 1d ago | OpenXDMoD is an open framework for collecting and analyzing HPC metrics. An SQL injection vulnerability exists in Open XDMoD versions prior to 10.0.3 that allows an unauthenticated remote attacker to… | |||
| CVE-2026-45778 | unknown | — | — | 1d ago | OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, an authenticated attacker can inject malicious JavaScript into their Open XDMoD user profile and abus… | |||
| CVE-2026-45777 | unknown | — | — | 1d ago | OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Starting in version 9.5.0 and prior to version 11.0.3, an attacker can remotely execute arbitrary system commands on the web s… | |||
| CVE-2026-11420 | unknown | — | — | 1d ago | Two path traversal vulnerabilities in the Network Installation Service (NIS) of Altium Enterprise Server allow an unauthenticated network attacker to write arbitrary files to any writable location on… | |||
| CVE-2026-11419 | unknown | — | — | 1d ago | A path traversal vulnerability exists in the Altium Enterprise Server Vault Service UploadController due to improper validation of a user-controlled path component in image upload requests. An authen… | |||
| CVE-2026-45776 | unknown | — | — | 1d ago | OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, a flaw in Open XDMoD's access control logic allows an attacker to submit a crafted HTTPS POST request… | |||
| CVE-2026-46401 | unknown | — | — | 1d ago | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.0 suffer from an improper session termination vulnerability where authentication tokens remain valid after … | |||
| CVE-2026-46399 | unknown | — | — | 1d ago | HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this… | |||
| CVE-2026-46394 | unknown | — | — | 1d ago | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an OS command injection vulnerability exists in the Git.php library of the HAXcms PHP backend. The applic… | |||
| CVE-2026-46390 | unknown | — | — | 1d ago | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 2.0.0 and prior to version 26.0.0, the gitlist plugin is exposed to unauthenticated users, allowing unauthenti… | |||
| CVE-2026-46400 | unknown | — | — | 1d ago | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 11.0.6 and prior to version 25.0.0, the file upload functionality in HAXCMS PHP only validates file extensions… | |||
| CVE-2026-46398 | unknown | — | — | 1d ago | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 25.0.0 and prior to version 26.0.0, the haxcms_refresh_token cookie is set without the Secure flag. This allow… | |||
| CVE-2026-11414 | unknown | — | — | 1d ago | A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the Vault service. Because the key is identical across all installations, an unauthenticated network a… | |||
| CVE-2026-47731 | unknown | — | — | 1d ago | NASA AMMOS Instrument Toolkit: Path traversal resulting in arbitrary file append (can be triggered over the network by unauthenticated attacker) | |||
| CVE-2026-8714 | unknown | — | — | 1d ago | A denial-of-service vulnerability exists in the RTSP server component of TP-Link Tapo C520WS v2 due to improper handling of syntactically invalid input. Crafted inputs can trigger a processing error… | |||
| CVE-2026-49343 | unknown | — | — | 1d ago | Klever-Go KVM: Throttler slot leak in trie account-data sync causes epoch bootstrap / state sync DoS | |||
| CVE-2026-48017 | unknown | — | — | 1d ago | DbGate: Remote Code Execution via functionName injection in loadReader endpoint | |||
| CVE-2026-47684 | unknown | — | — | 1d ago | Sync-in Server: SSRF protection bypass via IPv4-mapped IPv6 addresses in regExpPrivateIP | |||
| CVE-2026-47680 | unknown | — | — | 1d ago | Source controller: Improper path handling allows traversal | |||
| CVE-2026-47670 | unknown | — | — | 1d ago | Authenticated Remote Code Execution via loadReader functionName code injection in DbGate | |||
| CVE-2026-47419 | unknown | — | — | 1d ago | praisonai-platform: Agent endpoints accept any agent_id without workspace ownership check, cross-workspace read/update/delete IDOR | |||
| CVE-2026-47669 | unknown | — | — | 1d ago | DbGate: Zip Slip in archive/unzip allows arbitrary file write leading to RCE | |||
| CVE-2026-47668 | unknown | — | — | 1d ago | DbGate: Unauthenticated Remote Code Execution via JSON Script Runner | |||
| CVE-2026-47388 | unknown | — | — | 1d ago | NocoDB: Missing Ownership Check in MCP Attachment Read | |||
| CVE-2026-47387 | unknown | — | — | 1d ago | NocoDB: Stored Cross-Site Scripting via Form View Redirect URL | |||
| CVE-2026-47386 | unknown | — | — | 1d ago | NocoDB: OAuth Authorization Code Race Condition | |||
| CVE-2026-47385 | unknown | — | — | 1d ago | NocoDB: Path Traversal via SQLite Source Filename | |||
| CVE-2026-47384 | unknown | — | — | 1d ago | NocoDB: SQL Injection via Column Title in Bulk GroupBy | |||
| CVE-2026-47383 | unknown | — | — | 1d ago | NocoDB: Stored Cross-Site Scripting via Row Comments | |||
| CVE-2026-47382 | unknown | — | — | 1d ago | NocoDB: Server-Side Request Forgery via Database Connection Host | |||
| CVE-2026-9270 | unknown | — | — | 1d ago | DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The send_s… | |||
| CVE-2026-11362 | unknown | — | — | 1d ago | DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sour… | |||
| CVE-2026-47381 | unknown | — | — | 1d ago | NocoDB: Cross-Workspace Integration Use in Connection Test | |||
| CVE-2026-47380 | unknown | — | — | 1d ago | NocoDB: User Enumeration via Sign-In Timing | |||
| CVE-2026-47379 | unknown | — | — | 1d ago | NocoDB: Plaintext Password Comparison in Shared Views | |||
| CVE-2026-47378 | unknown | — | — | 1d ago | NocoDB: Hidden Column Exposure in Public Shared View Endpoints | |||
| CVE-2026-47377 | unknown | — | — | 1d ago | NocoDB: Open Redirect via Hash Fragment in hashRedirect Plugin | |||
| CVE-2026-47376 | unknown | — | — | 1d ago | NocoDB: Reflected Cross-Site Scripting via Password Reset Token | |||
| CVE-2026-47375 | unknown | — | — | 1d ago | NocoDB: Postgres SQL Injection in Formula `ARRAYSORT` | |||
| CVE-2026-47279 | unknown | — | — | 1d ago | NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints | |||
| CVE-2026-47250 | unknown | — | — | 1d ago | MCP Server Kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration | |||
| CVE-2026-47249 | unknown | — | — | 1d ago | Klever-Go KVM: Hash-array amplification in P2P resolver request handling | |||
| CVE-2026-45726 | unknown | — | — | 1d ago | Omni: Reader-level users can retrieve imported cluster CA keys via ResourceService | |||
| CVE-2026-45723 | unknown | — | — | 1d ago | Omni: Operator can traverse image-factory API paths via unsanitized `talos_version` in CreateSchematic | |||
| CVE-2026-45720 | unknown | — | — | 1d ago | Omni has a TOCTOU race condition that allows multiple concurrent uses of a single-use SAML session token | |||
| CVE-2026-38579 | unknown | — | — | 1d ago | Multiple reflected Cross-Site Scripting (XSS) vulnerabilities in damasac thaipalliative_lte through version 3.0 allow remote attackers to inject arbitrary web script or HTML via the idFormMain parame… | |||
| CVE-2026-10879 | unknown | — | — | 1d ago | DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders. The preparse method expands SQL placeholder characters to numbered binders of the for… | |||
| CVE-2026-38500 | unknown | — | — | 1d ago | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||
| CVE-2026-11369 | unknown | — | — | 1d ago | The Comment API (GET /api/Comment and POST /api/Comment) in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by th… | |||
| CVE-2026-25659 | unknown | — | — | 1d ago | Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Missing Values (CWE-230) vulnerability where an attacker continuously sending a specially crafted message can… | |||
| CVE-2026-25658 | unknown | — | — | 1d ago | Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Missing Values (CWE-230) vulnerability where an attacker continuously sending a specially crafted message can… | |||
| CVE-2026-25657 | unknown | — | — | 1d ago | Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Syntactically Invalid Structure (CWE-228) vulnerability where an attacker continuously sending a specially cr… | |||
| CVE-2026-11346 | unknown | — | — | 1d ago | A Server-Side Request Forgery (SSRF) vulnerability in the custom process creation feature of linqi allows an authenticated attacker to probe internal network components. By crafting a specific proces… | |||
| CVE-2026-11345 | unknown | — | — | 1d ago | An Improper Authentication vulnerability in the /api/Cdn/GetFile endpoint of linqi allows unauthenticated, remote attackers to bypass file access controls. The ValidateAnonFileAccess function incorre… | |||
| CVE-2026-8914 | unknown | — | — | 1d ago | In Teltonika Networks RUTOS devices, running versions 7.22 through 7.23.2 and TSWOS devices running versions 1.09 through 1.09.1, due to unsafe calls to an eval function in rpc-profile, a vulnerabili… | |||
| CVE-2026-21038 | unknown | — | — | 1d ago | Improper input validation in Samsung Android USB Driver for Windows prior to version 1.9.5.0 allows local attacker to access out-of-bounds memory. | |||
| CVE-2026-21037 | unknown | — | — | 1d ago | Improper input validation in Samsung Members prior to version 5.8.01.5 allows local attackers to access arbitrary URL and launch arbitrary activity with Samsung Members privilege. | |||
| CVE-2026-21036 | unknown | — | — | 1d ago | Improper authorization in Samsung Internet prior to version 30.0.0.39 allows local attackers to access sensitive information. | |||
| CVE-2026-21035 | unknown | — | — | 1d ago | Improper input validation in Samsung Plus TV prior to version 1.0.28.6 allows remote attackers to access sensitive information. | |||
| CVE-2026-21034 | unknown | — | — | 1d ago | Improper export of android application components in Samsung Auto prior to version 3.1.2.61 in Android 15 and 3.2.0.38 in Android 16 allows local attacker to change audio configuration. | |||
| CVE-2026-21033 | unknown | — | — | 1d ago | Improper export of android application components in ExpressHomeWidgetReceiver of Samsung Assistant prior to version 9.3.14 allows local attacker to execute arbitrary script. | |||
| CVE-2026-21032 | unknown | — | — | 1d ago | Improper export of android application components in SmartHomeWidgetReceiver of Samsung Assistant prior to version 9.3.14 allows local attacker to execute arbitrary script. | |||
| CVE-2026-11347 | unknown | — | — | 1d ago | The linqi application contains hardcoded cryptographic keys. Additionally, the application uses a weak algorithm with a limited ASCII charset to dynamically generate Initialization Vectors (IVs) for … | |||
| CVE-2026-48907 | unknown | — | — | 2d ago | A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution. | |||
| CVE-2026-21837 | unknown | — | — | 2d ago | HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API. An attacker may execute arbitrary operating system commands, typically inheriting the… | |||
| CVE-2026-11326 | unknown | — | — | 2d ago | OpenAI Atlas before 1.2025.288.15 exposed privileged browser APIs to web content on *.openai.com origins. A cross-site scripting vulnerability in forum.openai.com could be used to access these functi… | |||
| CVE-2026-36500 | unknown | — | — | 2d ago | An issue in the cluster-admin:backup-datastore component of Controller v12.0.5 allows attackers to execute a directory traversal via a crafted request. | |||
| CVE-2026-36501 | unknown | — | — | 2d ago | An issue in the Externalizable.readExternal() component of Controller v12.0.5 allows attackers to cause a Denial of Service (DoS) via a crafted input. | |||
| CVE-2026-11128 | unknown | — | — | 2d ago | Inappropriate implementation in Web Share in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a craf… | |||
| CVE-2026-11127 | unknown | — | — | 2d ago | Inappropriate implementation in WebAPKs in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform domain spoofing via a crafted WebAPK. (Chromium security severity: Medi… | |||
| CVE-2026-11126 | unknown | — | — | 2d ago | Inappropriate implementation in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chro… | |||
| CVE-2026-11124 | unknown | — | — | 2d ago | Integer overflow in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | |||
| CVE-2026-11123 | unknown | — | — | 2d ago | Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium securit… | |||
| CVE-2026-11122 | unknown | — | — | 2d ago | Inappropriate implementation in Keyboard in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security sever… | |||
| CVE-2026-11121 | unknown | — | — | 2d ago | Insufficient validation of untrusted input in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted H… | |||
| CVE-2026-11029 | unknown | — | — | 2d ago | Insufficient validation of untrusted input in Drag and Drop in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perfor… | |||
| CVE-2026-11025 | unknown | — | — | 2d ago | Insufficient policy enforcement in Navigation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium securit… | |||
| CVE-2026-11024 | unknown | — | — | 2d ago | Stack buffer overflow in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page. (Chromium security severity: Medium) | |||
| CVE-2026-11023 | unknown | — | — | 2d ago | Inappropriate implementation in WebAppInstalls in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HT… | |||
| CVE-2026-11022 | unknown | — | — | 2d ago | Insufficient validation of untrusted input in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a cr… | |||
| CVE-2026-11021 | unknown | — | — | 2d ago | Insufficient validation of untrusted input in GPU in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbo… | |||
| CVE-2026-11020 | unknown | — | — | 2d ago | Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted XML file. (Chromium security severity: Medium) | |||
| CVE-2026-11019 | unknown | — | — | 2d ago | Inappropriate implementation in Payments in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform domain spoofing via a crafted… | |||
| CVE-2026-11018 | unknown | — | — | 2d ago | Insufficient policy enforcement in Actor in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medi… | |||
| CVE-2026-11017 | unknown | — | — | 2d ago | Inappropriate implementation in Link Preview in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted… | |||
| CVE-2026-11016 | unknown | — | — | 2d ago | Insufficient validation of untrusted input in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a cra… | |||
| CVE-2026-11015 | unknown | — | — | 2d ago | Out of bounds read in WebGPU in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) | |||
| CVE-2026-11014 | unknown | — | — | 2d ago | Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass site isolation via a crafted … | |||
| CVE-2026-11013 | unknown | — | — | 2d ago | Insufficient validation of untrusted input in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive inform… | |||
| CVE-2026-11011 | unknown | — | — | 2d ago | Insufficient policy enforcement in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted H… | |||
| CVE-2026-11008 | unknown | — | — | 2d ago | Insufficient validation of untrusted input in WebAppInstalls in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a… | |||
| CVE-2026-11007 | unknown | — | — | 2d ago | Insufficient validation of untrusted input in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data v… | |||
| CVE-2026-11005 | unknown | — | — | 2d ago | Out of bounds read in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from proc… | |||
| CVE-2026-47708 | unknown | — | — | 2d ago | MCP-for-Stata: Command injection via log_file_name parameter in Stata command wrapper |