CVEs from 2026
Total
14,786
critical
critical 1,335
high
high 5,004
medium
medium 4,828
low
low 503
% Critical
9.0%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 723
- firepower_threat_defense_software 310
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-47260 | unknown | — | — | 8d ago | Koel Vulnerable to SSRF via Podcast Episode Enclosure URLs | |||
| CVE-2026-46705 | unknown | — | — | 8d ago | russh server userauth state is not reset when authentication principal changes | |||
| CVE-2026-46702 | unknown | — | — | 8d ago | russh: Post-decompression SSH packet size was not bounded, allowing remote oversized compressed packets | |||
| CVE-2026-47255 | unknown | — | — | 8d ago | AgenticMail API/storage and outbound relay hardening fixes | |||
| CVE-2026-47248 | unknown | — | — | 8d ago | Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers | |||
| CVE-2026-38739 | unknown | — | — | 8d ago | ezsystems/ezpublish-legacy has a SQL injection in dfscleanup | |||
| CVE-2026-46690 | unknown | — | — | 8d ago | unbounded-spsc: Sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race | |||
| CVE-2026-47266 | unknown | — | — | 8d ago | formie's unauthenticated front-end submission editing can overwrite existing submissions | |||
| CVE-2026-4387 | unknown | — | — | 8d ago | StrongDM Desktop Application before 23.74.0 (Desktop Client before 53.77.0) on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a… | |||
| CVE-2026-47190 | unknown | — | — | 8d ago | IPAM controller service account granted unnecessary full access to Secrets | |||
| CVE-2026-47141 | unknown | — | — | 8d ago | NodeVM observability builtins leak host process and HTTP request data | |||
| CVE-2026-45668 | unknown | — | — | 8d ago | Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Prior to 0.102.2, a malicious ZIP archive imported with safe import enabled… | |||
| CVE-2026-43917 | unknown | — | — | 8d ago | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.19.0 and earlier, the protectedProcedure middleware only verifies the user is authenticated - it does NOT enforce organization scop… | |||
| CVE-2026-47139 | unknown | — | — | 8d ago | NodeVM network builtin exclusions bypass via internal _http_client and _http_server | |||
| CVE-2026-47140 | unknown | — | — | 8d ago | NodeVM builtin denylist bypass via process and inspector/promises allows host code execution | |||
| CVE-2026-47210 | unknown | — | — | 8d ago | vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass | |||
| CVE-2026-47137 | unknown | — | — | 8d ago | vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE | |||
| CVE-2026-47209 | unknown | — | — | 8d ago | vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain | |||
| CVE-2026-47135 | unknown | — | — | 8d ago | vm2 has a sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks | |||
| CVE-2026-47208 | unknown | — | — | 8d ago | vm2 is Vulnerable to Sandbox Breakout Through Promise Species | |||
| CVE-2026-47131 | unknown | — | — | 8d ago | vm2 has a Sandbox Escape issue | |||
| CVE-2026-47200 | unknown | — | — | 8d ago | Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*` | |||
| CVE-2026-45742 | unknown | — | — | 8d ago | Gotenberg has a Race Condition via Multipart `downloadFrom` Handling | |||
| CVE-2026-45741 | unknown | — | — | 8d ago | Gotenberg has an SSRF deny-list bypass in IsPublicIP via IPv6 6to4 / NAT64 / site-local prefixes | |||
| CVE-2026-44829 | unknown | — | — | 8d ago | Gotenberg has path traversal in zip entry name via Windows-style separators in upload filename | |||
| CVE-2026-9194 | unknown | — | — | 8d ago | Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accid… | |||
| CVE-2026-33386 | unknown | — | — | 8d ago | QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a Man‑in‑the‑Middle (MITM) attack by impersonating the… | |||
| CVE-2026-33384 | unknown | — | — | 8d ago | QuickCMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID f… | |||
| CVE-2026-44495 | unknown | — | — | 8d ago | axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge | |||
| CVE-2026-44494 | unknown | — | — | 8d ago | axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy` | |||
| CVE-2026-44492 | unknown | — | — | 8d ago | axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) | |||
| CVE-2026-44490 | unknown | — | — | 8d ago | axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions | |||
| CVE-2026-44489 | unknown | — | — | 8d ago | Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix | |||
| CVE-2026-41237 | unknown | — | — | 8d ago | Froxlor is open source server administration software. In version 2.3.6 and earlier, the LOC record regex uses `\s+` which matches newlines (allowing embedded newlines to pass), TLSA `matchingType=0`… | |||
| CVE-2026-41235 | unknown | — | — | 8d ago | Froxlor is open source server administration software. Version 2.3.6 lets administrators configure `system.available_shells` as the approved shell list that customers may assign to FTP users. However… | |||
| CVE-2026-9509 | unknown | — | — | 8d ago | An unhandled exception in Suprema BioStar 2 (Server), versions 2.9.8, 2.9.10, and 2.9.11, that allows an unauthenticated remote attacker to cause a denial of service (DoS) by sending HTTP POST reques… | |||
| CVE-2026-9508 | unknown | — | — | 8d ago | Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path w… | |||
| CVE-2026-8326 | unknown | — | — | 8d ago | Path traversal vulnerability in Remote Spark (https://www.Remotespark.Com/) SparkView allows reading and writing arbitrary files in all directories as root. This leads to RCE. The affected component … | |||
| CVE-2026-45611 | unknown | — | — | 8d ago | Rejected reason: Further research determined the issue is not a vulnerability. | |||
| CVE-2026-45551 | unknown | — | — | 8d ago | Group-Office is an enterprise customer relationship management and groupware tool. Prior to 26.0.25, 25.0.100, and 6.8.165, GroupOffice allows authenticated users to persist arbitrary legacy settings… | |||
| CVE-2026-45043 | unknown | — | — | 8d ago | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper validation in the PUT /rustfs/admin/v3/import-iam endpoint allows a user with ImportIAMAction to create se… | |||
| CVE-2026-49201 | unknown | — | — | 8d ago | The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating pers… | |||
| CVE-2026-49200 | unknown | — | — | 9d ago | The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized s… | |||
| CVE-2026-49198 | unknown | — | — | 9d ago | Improper access control in the MQTT broker allows wildcard topic subscriptions, exposing all MQTT traffic to unauthorized actors. | |||
| CVE-2026-49197 | unknown | — | — | 9d ago | Web endpoints intended for the Acer Connect app improperly validate the HTTP Authorization header, failing to block requests when Base64 decoding fails. | |||
| CVE-2026-49196 | unknown | — | — | 9d ago | The Wi-Fi device blocking feature fails to sanitize MAC address input, allowing injection and execution of arbitrary shell commands. | |||
| CVE-2026-49195 | unknown | — | — | 9d ago | Unauthenticated Debug Service. The /sbin/mtk_dut binary is exposed on TCP port 9000 without authentication, allowing any LAN-based attacker to execute arbitrary UCC commands. | |||
| CVE-2026-49216 | unknown | — | — | 9d ago | symfony/ux-autocomplete XSS via unescaped AJAX response data | |||
| CVE-2026-49215 | unknown | — | — | 9d ago | symfony/ux-live-component CSRF Protection Bypass: Accept Header is CORS-Safelisted | |||
| CVE-2026-49211 | unknown | — | — | 9d ago | symfony/ux-autocomplete Information exposure via unescaped LIKE wildcards in EntitySearchUtil | |||
| CVE-2026-49212 | unknown | — | — | 9d ago | symfony/ux-live-component LiveComponentHydrator HMAC checksum lacks component and slot binding | |||
| CVE-2026-49210 | unknown | — | — | 9d ago | symfony/ux-live-component XSS via attacker-controlled child component tag | |||
| CVE-2026-49209 | unknown | — | — | 9d ago | symfony/ux-live-component Denial of service via unbounded batch action requests | |||
| CVE-2026-49208 | unknown | — | — | 9d ago | symfony/ux-live-component Format-less date LiveProps parsed with the permissive DateTime constructor | |||
| CVE-2026-8070 | unknown | — | — | 9d ago | Incorrect permission assignment for a critical resource in Armoury Crate allows a local user to bypass the driver’s validation mechanism, resulting in unauthorized read and write access to physical m… | |||
| CVE-2026-7480 | unknown | — | — | 9d ago | An Incorrect Permission Assignment for Critical Resource vulnerability in ASUS System Control Interface allows a local user to elevate privileges to SYSTEM and execute arbitrary code via a crafted RP… | |||
| CVE-2026-42563 | unknown | — | — | 9d ago | Dulwich Vulnerable to Command Injection via Merge Driver Path | |||
| CVE-2026-42305 | unknown | — | — | 9d ago | Dulwich has an arbitrary file write via NTFS-hostile tree entries on Windows | |||
| CVE-2026-49299 | unknown | — | — | 9d ago | In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names e… | |||
| CVE-2026-45342 | unknown | — | — | 9d ago | LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains an Insecure Direct Object Reference vulnerability in the authorization policy layer that allows any authent… | |||
| CVE-2026-45343 | unknown | — | — | 9d ago | LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains a stored cross-site scripting vulnerability that allows a low-privilege user to execute arbitrary JavaScrip… | |||
| CVE-2026-47718 | unknown | — | — | 9d ago | FUXA provides guest and invalid-token access to protected read APIs in secure mode | |||
| CVE-2026-9039 | unknown | — | — | 9d ago | A configuration weakness in the device’s remote management service allows an authenticated session to be established over a communication channel intended solely for vehicle-charger signaling. The se… | |||
| CVE-2026-9038 | unknown | — | — | 9d ago | A stack-based buffer overflow vulnerability in the charging controller’s signal-processing logic allows an attacker with physical access to the charging interface to supply message fields that exceed… | |||
| CVE-2026-9037 | unknown | — | — | 9d ago | A firmware update mechanism in the affected charging controller fails to validate the authenticity of firmware packages delivered through the device's management interface. Because cryptographic sign… | |||
| CVE-2026-33590 | unknown | — | — | 9d ago | Insecure default settings of Portainer CE grant regular (non-admin) users privileges that allow host filesystem access and host-level code execution. An authenticated non-administrative user with end… | |||
| CVE-2026-47144 | unknown | — | — | 9d ago | Shamefile has an arbitrary file read via shamefile.yaml in shame next | |||
| CVE-2026-47128 | unknown | — | — | 9d ago | nono: Sandbox escape on Linux via D-Bus: `systemd-run --user` | |||
| CVE-2026-47136 | unknown | — | — | 9d ago | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the RustFS console endpoint GET /rustfs/console/license returns parsed license metadata without requiring authentic… | |||
| CVE-2026-46685 | unknown | — | — | 9d ago | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS_CORS_ALLOWED_ORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origi… | |||
| CVE-2026-45044 | unknown | — | — | 9d ago | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the admin router explicitly whitelists /profile/cpu and /profile/memory from the authentication layer, allowing any… | |||
| CVE-2026-45042 | unknown | — | — | 9d ago | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing dest… | |||
| CVE-2026-45041 | unknown | — | — | 9d ago | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, crates/appauth/src/token.rs ships a 2048-bit RSA private key as a string constant named TEST_PRIVATE_KEY and uses i… | |||
| CVE-2026-45040 | unknown | — | — | 9d ago | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, RustFS suffers from sensitive information leakage in log outputs. When the server is run with RUST_LOG=debug sensit… | |||
| CVE-2026-46439 | unknown | — | — | 9d ago | compliance-trestle Vulnerable to Remote Code Execution via Recursive Server-Side Template Injection (SSTI) | |||
| CVE-2026-46405 | unknown | — | — | 9d ago | OpenBao's Kerberos Auth Method Accumulates Unaccessible Tokens | |||
| CVE-2026-46380 | unknown | — | — | 9d ago | compliance-trestle Vulnerable to SSRF in Remote Fetching Subsystem | |||
| CVE-2026-45297 | unknown | — | — | 9d ago | OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via {project_id} case mismatch. ProjectAuthorizer.__call__ (OSS… | |||
| CVE-2026-46358 | unknown | — | — | 9d ago | OpenBao's Inline Auth Incorrectly Redacted Headers | |||
| CVE-2026-46345 | unknown | — | — | 9d ago | compliance-trestle - jinja has an Arbitrary File Write via Path Traversal | |||
| CVE-2026-45808 | unknown | — | — | 9d ago | OpenBao's cross-namespace lease revocation via legacy sys/revoke path bypasses ACL | |||
| CVE-2026-45774 | unknown | — | — | 9d ago | compliance-trestle Profile Import has an Arbitrary File Read via trestle:// URI and Relative Path Traversal | |||
| CVE-2026-45287 | unknown | — | — | 9d ago | OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to version 0.0.17, `go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1` leaks one file descriptor on eac… | |||
| CVE-2026-6720 | unknown | — | — | 9d ago | When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embe… | |||
| CVE-2026-45261 | unknown | — | — | 9d ago | GitButler is a modern Git-based version control interface for AI-powered workflows. Prior to 0.19.7, a emote code execution vulnerability exists in the Tauri-based GitButler desktop application. An a… | |||
| CVE-2026-9828 | unknown | — | — | 9d ago | Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core (HardenedObjectInputStream (logback-core) modules) allows Object Injection albeit heavily restricted. More precise… | |||
| CVE-2026-8990 | unknown | — | — | 9d ago | A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with applicat… | |||
| CVE-2026-8980 | unknown | — | — | 9d ago | The Mennekes Amtron series (firmware versions ≤ 5.22.3) is vulnerable to privilege escalation. An authenticated low-privileged user can change the passwords of the admin (operator) and manufacturer a… | |||
| CVE-2026-8979 | unknown | — | — | 9d ago | The Mennekes Amtron series (firmware versions ≤ 5.22.3) is vulnerable to an authentication bypass. An unauthenticated remote attacker can change the password of the user account via a crafted POST re… | |||
| CVE-2026-42250 | unknown | — | — | 9d ago | bzip2 contains an off‑by‑one error in the bzip2recover utility. When processing a specially crafted file, the application performs an out‑of‑bounds write to a global buffer, resulting in memory corru… | |||
| CVE-2026-4377 | unknown | — | — | 9d ago | Dlink DWR-X1820 router uses weak default password generated from its IMEI number and does not require users to change it. An attacker who knows how passwords are generated can easily crack the defaul… | |||
| CVE-2026-47074 | unknown | — | — | 9d ago | Improper Certificate Validation vulnerability in ex-aws ex_aws_sns (ExAws.SNS, ExAws.SNS.PublicKeyCache modules) allows Signature Spoofing by Improper Validation. This vulnerability is associated wi… | |||
| CVE-2026-46241 | unknown | — | — | 9d ago | In the Linux kernel, the following vulnerability has been resolved: spi: mpc52xx: fix use-after-free on registration failure Make sure to disable and free the interrupts in case controller registra… | |||
| CVE-2026-46239 | unknown | — | — | 9d ago | In the Linux kernel, the following vulnerability has been resolved: media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly … | |||
| CVE-2026-46236 | unknown | — | — | 9d ago | In the Linux kernel, the following vulnerability has been resolved: media: rc: xbox_remote: heed DMA restrictions The buffer for IO must not be part of the device structure because that violates th… | |||
| CVE-2026-46235 | unknown | — | — | 9d ago | In the Linux kernel, the following vulnerability has been resolved: media: saa7164: add ioremap return checks and cleanups Add checks for ioremap return values in saa7164_dev_setup(). If ioremap fo… | |||
| CVE-2026-46234 | unknown | — | — | 9d ago | In the Linux kernel, the following vulnerability has been resolved: vsock: fix buffer size clamping order In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and … | |||
| CVE-2026-46233 | unknown | — | — | 9d ago | In the Linux kernel, the following vulnerability has been resolved: batman-adv: bla: only purge non-released claims When batadv_bla_purge_claims() goes through the list of claims, it is only traver… | |||
| CVE-2026-46231 | unknown | — | — | 9d ago | In the Linux kernel, the following vulnerability has been resolved: batman-adv: bla: put backbone reference on failed claim hash insert When batadv_bla_add_claim() fails to insert a new claim into … | |||
| CVE-2026-46229 | unknown | — | — | 9d ago | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEA… |