CVEs from 2026
Total
14,769
critical
critical 1,335
high
high 5,011
medium
medium 4,834
low
low 504
% Critical
9.0%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 723
- firepower_threat_defense_software 310
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-7016 | low | 2.4 | 2.4 | 1mo ago | A vulnerability was found in MaxSite CMS up to 109.3. Impacted is an unknown function of the component ushki Plugin. Performing a manipulation of the argument f_ushka_new/f_ushk results in cross site… | |||
| CVE-2026-7015 | low | 2.4 | 2.4 | 1mo ago | A vulnerability has been found in MaxSite CMS up to 109.3. This issue affects some unknown processing of the component Guestbook Plugin. Such manipulation of the argument f_text/f_slug/f_limit/f_emai… | |||
| CVE-2026-7014 | low | 2.4 | 2.4 | 1mo ago | A flaw has been found in MaxSite CMS up to 109.3. This vulnerability affects unknown code of the component down_count Plugin. This manipulation of the argument f_file/f_prefix causes cross site scrip… | |||
| CVE-2026-7013 | low | 2.4 | 2.4 | 1mo ago | A security vulnerability has been detected in MaxSite CMS up to 109.3. Affected by this issue is some unknown functionality of the component mail_send Plugin. The manipulation of the argument f_subje… | |||
| CVE-2026-7012 | low | 2.4 | 2.4 | 1mo ago | A vulnerability was detected in MaxSite CMS up to 109.3. This affects an unknown part of the component Redirect Plugin. The manipulation of the argument f_all/f_all404 results in cross site scripting… | |||
| CVE-2026-7011 | low | 2.4 | 2.4 | 1mo ago | A weakness has been identified in MaxSite CMS up to 109.3. Affected by this vulnerability is an unknown functionality of the file /admin/plugin_antispam of the component Antispam Plugin. Executing a … | |||
| CVE-2026-7001 | low | 2.4 | 2.4 | 1mo ago | A vulnerability was found in Datacom DM4100 1.3.6.1.4.1.3709. This affects an unknown part of the component Ethernet Configuration Page. Performing a manipulation of the argument Name results in cros… | |||
| CVE-2026-7000 | low | 2.4 | 2.4 | 1mo ago | A vulnerability has been found in Datacom DM4100 1.3.6.1.4.1.3709. Affected by this issue is some unknown functionality of the component VLAN Page. Such manipulation of the argument VLAN Name leads t… | |||
| CVE-2026-6999 | low | 2.4 | 2.4 | 1mo ago | A flaw has been found in BIVOCOM TR321 21.1.1.50. Affected by this vulnerability is an unknown functionality of the component Wireless Setting. This manipulation of the argument Network Name SSID cau… | |||
| CVE-2026-6998 | low | 2.4 | 2.4 | 1mo ago | A vulnerability was detected in BDCOM P3310D 0.4.2 10.1.0F Build 86345. Affected is an unknown function of the component New RMON Statistics Page. The manipulation of the argument Owner results in cr… | |||
| CVE-2026-6997 | low | 2.4 | 2.4 | 1mo ago | A security vulnerability has been detected in BDCOM P3310D 0.4.2 10.1.0F Build 86345. This impacts an unknown function of the component New RMON History Page. The manipulation of the argument Owner l… | |||
| CVE-2026-6996 | low | 2.4 | 2.4 | 1mo ago | A weakness has been identified in BDCOM P3310D 0.4.2 10.1.0F Build 86345. This affects an unknown function of the component rmon event Tab. Executing a manipulation of the argument Description can le… | |||
| CVE-2026-6995 | low | 2.4 | 2.4 | 1mo ago | A security flaw has been discovered in BDCOM P3310D 0.4.2 10.1.0F Build 86345. The impacted element is an unknown function of the file /index.asp of the component New User Page. Performing a manipula… | |||
| CVE-2026-6651 | low | 2.4 | 2.4 | 2mo ago | A security flaw has been discovered in erponline.xyz ERP Online up to 4.0.0. This vulnerability affects unknown code of the component Inventory Edit Item Page. The manipulation of the argument Item N… | |||
| CVE-2026-6624 | low | 2.4 | 2.4 | 2mo ago | A weakness has been identified in BichitroGan ISP Billing Software 2025.3.20. Affected is an unknown function of the file /?\_route=pool/add of the component Pool List Interface. Executing a manipula… | |||
| CVE-2026-6622 | low | 2.4 | 2.4 | 2mo ago | A vulnerability was identified in BichitroGan ISP Billing Software 2025.3.20. This affects an unknown function of the file /?\_route=customers/edit/ of the component Customer Handler. Such manipulati… | |||
| CVE-2026-6184 | low | 2.4 | 2.4 | 2mo ago | A weakness has been identified in code-projects Simple Content Management System 1.0. This affects an unknown part of the file /web/admin/welcome.php. Executing a manipulation of the argument News Ti… | |||
| CVE-2026-6003 | low | 2.4 | 2.4 | 2mo ago | A security vulnerability has been detected in code-projects Simple IT Discussion Forum 1.0. This issue affects some unknown processing of the file /admin/user.php. Such manipulation of the argument f… | |||
| CVE-2026-5836 | low | 2.4 | 2.4 | 2mo ago | A vulnerability has been found in code-projects Online Shoe Store 1.0. Affected by this issue is some unknown functionality of the file /admin/admin_product.php. The manipulation of the argument prod… | |||
| CVE-2026-5835 | low | 2.4 | 2.4 | 2mo ago | A flaw has been found in code-projects Online Shoe Store 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/admin_football.php. Executing a manipulation of the argumen… | |||
| CVE-2026-5834 | low | 2.4 | 2.4 | 2mo ago | A vulnerability was detected in code-projects Online Shoe Store 1.0. Affected is an unknown function of the file /admin/admin_running.php. Performing a manipulation of the argument product_name resul… | |||
| CVE-2026-5668 | low | 2.4 | 2.4 | 2mo ago | A flaw has been found in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This affects an unknown part of the file /admin/Add%20notice/add%20notice.php. This manipu… | |||
| CVE-2026-5647 | low | 2.4 | 2.4 | 2mo ago | A vulnerability was detected in code-projects Online Shoe Store 1.0. This affects an unknown part of the file /admin/admin_feature.php of the component Add Product Page. The manipulation of the argum… | |||
| CVE-2026-5644 | low | 2.4 | 2.4 | 2mo ago | A security flaw has been discovered in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. Affected is an unknown function of the file /admin/Add%20notice/batch-notice… | |||
| CVE-2026-5643 | low | 2.4 | 2.4 | 2mo ago | A vulnerability was identified in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This impacts an unknown function of the file /admin/Add%20notice/notice.php of th… | |||
| CVE-2026-5209 | low | 2.4 | 2.4 | 2mo ago | A security vulnerability has been detected in SourceCodester Leave Application System 1.0. Affected by this issue is some unknown functionality of the component User Management Handler. Such manipula… | |||
| CVE-2026-4972 | low | 2.4 | 2.4 | 2mo ago | A security vulnerability has been detected in code-projects Online Reviewer System up to 1.0. Affected is an unknown function of the file /system/system/students/assessments/databank/btn_functions.ph… | |||
| CVE-2026-4909 | low | 2.4 | 2.4 | 2mo ago | A weakness has been identified in code-projects Exam Form Submission 1.0. This impacts an unknown function of the file /admin/update_s7.php. This manipulation of the argument sname causes cross site … | |||
| CVE-2026-4899 | low | 2.4 | 2.4 | 2mo ago | A security flaw has been discovered in code-projects Online Food Ordering System 1.0. Affected by this issue is some unknown functionality of the file /dbfood/food.php. The manipulation of the argume… | |||
| CVE-2026-4616 | low | 2.4 | 2.4 | 3mo ago | A security flaw has been discovered in bolo-blog up to 2.6.4. The affected element is an unknown function of the file /console/article/ of the component Article Title Handler. Performing a manipulati… | |||
| CVE-2026-4595 | low | 2.4 | 2.4 | 3mo ago | A vulnerability was determined in code-projects Exam Form Submission 1.0. This vulnerability affects unknown code of the file /admin/update_s6.php. Executing a manipulation of the argument sname can … | |||
| CVE-2026-4578 | low | 2.4 | 2.4 | 3mo ago | A vulnerability was determined in code-projects Exam Form Submission 1.0. The impacted element is an unknown function of the file /admin/update_s3.php. Executing a manipulation of the argument sname … | |||
| CVE-2026-4577 | low | 2.4 | 2.4 | 3mo ago | A vulnerability was found in code-projects Exam Form Submission 1.0. The affected element is an unknown function of the file /admin/update_s4.php. Performing a manipulation of the argument sname resu… | |||
| CVE-2026-4576 | low | 2.4 | 2.4 | 3mo ago | A vulnerability has been found in code-projects Exam Form Submission 1.0. Impacted is an unknown function of the file /admin/update_s5.php. Such manipulation of the argument sname leads to cross site… | |||
| CVE-2026-4575 | low | 2.4 | 2.4 | 3mo ago | A flaw has been found in code-projects Exam Form Submission 1.0. This issue affects some unknown processing of the file /admin/update_s2.php. This manipulation of the argument sname causes cross site… | |||
| CVE-2026-4356 | low | 2.4 | 2.4 | 3mo ago | A flaw has been found in itsourcecode University Management System 1.0. Affected is an unknown function of the file /add_result.php. Executing a manipulation of the argument vr can lead to cross site… | |||
| CVE-2026-4225 | low | 2.4 | 2.4 | 3mo ago | A security flaw has been discovered in CMS Made Simple up to 2.2.21. Impacted is an unknown function of the file admin/listusers.php of the component User Management Module. Performing a manipulation… | |||
| CVE-2026-4168 | low | 2.4 | 2.4 | 3mo ago | A vulnerability was identified in Tecnick TCExam 16.5.0. This impacts an unknown function of the file /admin/code/tce_edit_group.php of the component Group Handler. Such manipulation of the argument … | |||
| CVE-2026-4165 | low | 2.4 | 2.4 | 3mo ago | A vulnerability has been found in Worksuite HR, CRM and Project Management up to 5.5.25. The affected element is an unknown function of the file /account/orders/create. The manipulation of the argume… | |||
| CVE-2026-3041 | low | 2.4 | 2.4 | 3mo ago | A security vulnerability has been detected in xingfuggz BaykeShop up to 1.3.20. Impacted is an unknown function of the file src/baykeshop/contrib/article/templates/baykeshop/sidebar/custom.html of th… | |||
| CVE-2026-2965 | low | 2.4 | 2.4 | 4mo ago | A security flaw has been discovered in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.2.9. The affected element is an unknown function of the file /admin/SysModule/edit.html of the component System Extensi… | |||
| CVE-2026-1705 | low | 2.4 | 2.4 | 4mo ago | A vulnerability was detected in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function ad_virtual_server_vdsl of the component Web Interface. Performing a manipulation of the argu… | |||
| CVE-2026-1520 | low | 2.4 | 2.4 | 4mo ago | A vulnerability was identified in rethinkdb up to 2.4.3. Affected by this issue is some unknown functionality of the component Secondary Index Handler. Such manipulation leads to cross site scripting… | |||
| CVE-2026-1444 | low | 2.4 | 2.4 | 4mo ago | A vulnerability has been found in iJason-Liu Books_Manager up to 298ba736387ca37810466349af13a0fdf828e99c. This affects an unknown part of the file controllers/books_center/add_book_check.php. Such m… | |||
| CVE-2026-50266 | low | 2.2 | 2.2 | 3d ago | In OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set device_owner to a value that has "network:" at the beginning ("n… | |||
| CVE-2026-45182 | low | 2.2 | 2.2 | 29d ago | GrapheneOS before 2026050400 allows attackers to discover the real IP address of a VPN user as a consequence of a registerQuicConnectionClosePayload optimization, because an application can let syste… | |||
| CVE-2026-21725 | low | 2.0 | 2.0 | 3mo ago | A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to… | |||
| CVE-2026-20133 | unknown | — | 1.5 | 2mo ago | Cisco Catalyst SD-WAN Manager contains an exposure of sensitive information to an unauthorized actor vulnerability that could allow remote attackers to view sensitive information on affected systems. | |||
| CVE-2026-20122 | unknown | — | 1.5 | 2mo ago | Cisco Catalyst SD-WAN Manager contains an incorrect use of privileged APIs vulnerability due to improper file handling on the API interface of an affected system. An attacker could exploit this vulne… | |||
| CVE-2026-20128 | unknown | — | 1.5 | 2mo ago | Cisco Catalyst SD-WAN Manager contains a storing passwords in a recoverable format vulnerability that allows an authenticated, local attacker to gain DCA user privileges by accessing a credential fil… | |||
| CVE-2026-34621 | unknown | — | 1.5 | 2mo ago | Adobe Acrobat and Reader contain a prototype pollution vulnerability that allows for arbitrary code execution. | |||
| CVE-2026-21643 | unknown | — | 1.5 | 2mo ago | Fortinet FortiClient EMS contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. | |||
| CVE-2026-39987 | unknown | — | 1.5 | 2mo ago | Marimo contains an pre-authorization remote code execution vulnerability, allowing an unauthenticated attacked to shell access and execute arbitrary system commands. | |||
| CVE-2026-35616 | unknown | — | 1.5 | 2mo ago | Fortinet FortiClient EMS contains an improper access control vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests. | |||
| CVE-2026-3502 | unknown | — | 1.5 | 2mo ago | TrueConf Client contains a download of code without integrity check vulnerability. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the paylo… | |||
| CVE-2026-5281 | unknown | — | 1.5 | 2mo ago | Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. (Chromium securit… | |||
| CVE-2026-33634 | unknown | — | 1.5 | 3mo ago | Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credenti… | |||
| CVE-2026-20131 | unknown | — | 1.5 | 3mo ago | Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management contain a deserialization of untrusted data vulnerability in the web-based management… | |||
| CVE-2026-20963 | unknown | — | 1.5 | 3mo ago | Microsoft SharePoint contains a deserialization of untrusted data vulnerability that allows an unauthorized attacker to execute code over a network. | |||
| CVE-2026-3910 | unknown | — | 1.5 | 3mo ago | Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: H… | |||
| CVE-2026-3909 | unknown | — | 1.5 | 3mo ago | Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2026-1603 | unknown | — | 1.5 | 3mo ago | Ivanti Endpoint Manager (EPM) contains an authentication bypass using an alternate path or channel vulnerability that could allow a remote unauthenticated attacker to leak specific stored credential … | |||
| CVE-2026-22719 | unknown | — | 1.5 | 3mo ago | Broadcom VMware Aria Operations formerly known as vRealize Operations (vROps) contains a command injection vulnerability that allows an unauthenticated attacker to execute arbitrary commands, potenti… | |||
| CVE-2026-21385 | unknown | — | 1.5 | 3mo ago | Multiple Qualcomm chipsets contain a memory corruption vulnerability while using alignments for memory allocation. | |||
| CVE-2026-25108 | unknown | — | 1.5 | 3mo ago | Soliton Systems K.K FileZen contains an OS command injection vulnerability when an user logs-in to the affected product and sends a specially crafted HTTP request. | |||
| CVE-2026-22769 | unknown | — | 1.5 | 4mo ago | Dell RecoverPoint for Virtual Machines (RP4VMs) contains an use of hard-coded credentials vulnerability that could allow an unauthenticated remote attacker to gain unauthorized access to the underlyi… | |||
| CVE-2026-20700 | unknown | — | 1.5 | 4mo ago | Apple iOS, macOS, tvOS, watchOS, and visionOS contain an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow an attacker with memory write the capab… | |||
| CVE-2026-21525 | unknown | — | 1.5 | 4mo ago | Microsoft Windows Remote Access Connection Manager contains a NULL pointer dereference that could allow an unauthorized attacker to deny service locally. | |||
| CVE-2026-21513 | unknown | — | 1.5 | 4mo ago | Microsoft MSHTML Framework contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network. | |||
| CVE-2026-21519 | unknown | — | 1.5 | 4mo ago | Microsoft Desktop Windows Manager contains a type confusion vulnerability that could allow an authorized attacker to elevate privileges locally. | |||
| CVE-2026-21514 | unknown | — | 1.5 | 4mo ago | Microsoft Office Word contains a reliance on untrusted inputs in a security decision vulnerability that could allow an authorized attacker to elevate privileges locally. | |||
| CVE-2026-21533 | unknown | — | 1.5 | 4mo ago | Microsoft Windows Remote Desktop Services contains an improper privilege management vulnerability that could allow an authorized attacker to elevate privileges locally. | |||
| CVE-2026-21510 | unknown | — | 1.5 | 4mo ago | Microsoft Windows Shell contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network. | |||
| CVE-2026-24423 | unknown | — | 1.5 | 4mo ago | SmarterTools SmarterMail contains a missing authentication for critical function vulnerability in the ConnectToHub API method. This could allow the attacker to point the SmarterMail instance to a mal… | |||
| CVE-2026-23760 | unknown | — | 1.5 | 4mo ago | SmarterTools SmarterMail contains an authentication bypass using an alternate path or channel vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and… | |||
| CVE-2026-21509 | unknown | — | 1.5 | 4mo ago | Microsoft Office contains a security feature bypass vulnerability in which reliance on untrusted inputs in a security decision in Microsoft Office could allow an unauthorized attacker to bypass a sec… | |||
| CVE-2026-20045 | unknown | — | 1.5 | 5mo ago | Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unifie… | |||
| CVE-2026-20805 | unknown | — | 1.5 | 5mo ago | Microsoft Windows Desktop Windows Manager contains an information disclosure vulnerability that allows an authorized attacker to disclose information locally. | |||
| CVE-2026-25732 | unknown | — | 1.0 | 4mo ago | NiceGUI's Path Traversal via Unsanitized FileUpload.name Enables Arbitrary File Write | |||
| CVE-2026-24486 | unknown | — | 1.0 | 4mo ago | Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_… | |||
| CVE-2026-23385 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: clone set on flush only Syzbot with fault injection triggered a failing memory allocation with GFP_KERNEL w… | |||
| CVE-2026-42489 | unknown | — | — | — | ||||
| CVE-2026-42488 | unknown | — | — | — | ||||
| CVE-2026-42490 | unknown | — | — | — | ||||
| CVE-2026-48711 | unknown | — | — | — | ||||
| CVE-2026-47187 | unknown | — | — | — | ||||
| CVE-2026-42487 | unknown | — | — | — | ||||
| CVE-2026-47321 | unknown | — | — | — | ||||
| CVE-2026-44171 | unknown | — | — | — | ||||
| CVE-2026-44168 | unknown | — | — | — | ||||
| CVE-2026-44169 | unknown | — | — | — | ||||
| CVE-2026-44170 | unknown | — | — | — | ||||
| CVE-2026-44173 | unknown | — | — | — | ||||
| CVE-2026-48163 | unknown | — | — | — | ||||
| CVE-2026-48165 | unknown | — | — | — | ||||
| CVE-2026-49261 | unknown | — | — | — | ||||
| CVE-2026-33609 | unknown | — | — | — | Incomplete escaping of LDAP queries when running with 8bit-dns enabled allows users to perform queries of internal domain subtrees. | |||
| CVE-2026-33261 | unknown | — | — | — | A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service. | |||
| CVE-2026-33262 | unknown | — | — | — | An attacker can send replies that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. Cookies are disabled by default. | |||
| CVE-2026-33257 | unknown | — | — | — | An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default. |