CVEs from 2026
Total
14,798
critical
critical 1,335
high
high 5,011
medium
medium 4,834
low
low 504
% Critical
9.0%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 723
- firepower_threat_defense_software 310
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-45725 | high | — | 8.0 | 11d ago | compliance-trestle Remote Fetching Mechanism has an Arbitrary File Write via Cache Path Traversal | |||
| CVE-2026-47717 | high | — | 8.0 | 11d ago | FUXA's Unauthenticated Project Data Disclosure Exposes Server-Side Scripts and Device Configurations | |||
| CVE-2026-47243 | high | — | 8.0 | 11d ago | Kata guest escape: runtime-rs guest-root to host-root escape via virtiofs | |||
| CVE-2026-45704 | high | — | 8.0 | 11d ago | Pimcore has a CustomReports Share Bypass | |||
| CVE-2026-44982 | high | — | 8.0 | 11d ago | CrowdSec AppSec silently drops request body for chunked / HTTP-2 requests | |||
| CVE-2026-44726 | high | — | 8.0 | 11d ago | Deno's TLS retry copies stale upgrade hook, risking plaintext traffic | |||
| CVE-2026-45617 | high | — | 8.0 | 11d ago | LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex | |||
| CVE-2026-45368 | high | — | 8.0 | 11d ago | Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend | |||
| CVE-2026-45357 | high | — | 8.0 | 11d ago | LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime) | |||
| CVE-2026-42553 | high | — | 8.0 | 11d ago | Cinny is a Matrix client. Prior to 4.10.3, A remote authenticated attacker who shares a room with a victim and has permissions to create room emotes (for example in a DM) can cause the victim's clien… | |||
| CVE-2026-45260 | high | — | 8.0 | 11d ago | Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling | |||
| CVE-2026-45162 | high | — | 8.0 | 11d ago | Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction | |||
| CVE-2026-3012 | high | 8.0 | 8.0 | 11d ago | Important: samba security update | |||
| CVE-2026-44974 | high | — | 8.0 | 12d ago | @hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters | |||
| CVE-2026-44741 | high | — | 8.0 | 12d ago | Pimcore Admin Classic Bundle Vulnerable to SQL Injection in Translation Grid Date Filter via Unsanitized Property Parameter | |||
| CVE-2026-44739 | high | — | 8.0 | 12d ago | Pimcore Vulnerable to SQL Injection in Custom Reports Column Configuration | |||
| CVE-2026-44705 | high | — | 8.0 | 12d ago | tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape | |||
| CVE-2026-34043 | high | — | 8.0 | 12d ago | RHSA-2026:21291: .NET 8.0 security update (Important) | |||
| CVE-2026-44177 | high | — | 8.0 | 12d ago | Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookup | |||
| CVE-2026-44175 | high | — | 8.0 | 12d ago | Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontend | |||
| CVE-2026-44174 | high | — | 8.0 | 12d ago | Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query Endpoints | |||
| CVE-2026-43947 | high | — | 8.0 | 12d ago | FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass | |||
| CVE-2026-43946 | high | — | 8.0 | 12d ago | FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue | |||
| CVE-2026-43945 | high | — | 8.0 | 12d ago | FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection | |||
| CVE-2026-42462 | high | — | 8.0 | 12d ago | Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring | |||
| CVE-2026-42089 | high | — | 8.0 | 12d ago | yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation | |||
| CVE-2026-44895 | high | — | 8.0 | 12d ago | GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships with no authentication layer at all and a wildcard Access-Control-Allow-Origin… | |||
| CVE-2026-48048 | high | — | 8.0 | 12d ago | XWiki Platform's Livetable results still allow reconstructing password hashes using 768 requests | |||
| CVE-2026-8834 | high | 8.0 | 8.0 | 12d ago | IBM HTTP Server 8.5, and 9.0 contains a buffer overflow vulnerability. A privileged user, authenticated to the Administration Server, could exploit this vulnerability to execute remote code or cause … | |||
| CVE-2026-42014 | high | — | 8.0 | 13d ago | RHSA-2026:20612: gnutls security update (Important) | |||
| CVE-2026-47138 | high | — | 8.0 | 16d ago | Parse Server: Pre-authentication denial of service via client version header regex backtracking | |||
| CVE-2026-46717 | high | — | 8.0 | 16d ago | Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification | |||
| CVE-2026-46701 | high | — | 8.0 | 17d ago | Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret | |||
| CVE-2026-46681 | high | — | 8.0 | 17d ago | @nevware21/ts-utils: Prototype Pollution in objDeepCopy/objCopyProps via for...in without hasOwnProperty | |||
| CVE-2026-46680 | high | — | 8.0 | 17d ago | containerd user ID handling bypass allows runAsNonRoot evasion | |||
| CVE-2026-46679 | high | — | 8.0 | 17d ago | js-libp2p: Memory DoS via subscription flood of unique topics | |||
| CVE-2026-46625 | high | — | 8.0 | 17d ago | JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection | |||
| CVE-2026-46673 | high | — | 8.0 | 17d ago | Unbounded 32-bit allocation | |||
| CVE-2026-46519 | high | — | 8.0 | 17d ago | MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement | |||
| CVE-2026-46654 | high | — | 8.0 | 17d ago | Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss | |||
| CVE-2026-46643 | high | — | 8.0 | 17d ago | Snappy: Binary path is never shell-escaped due to an inverted is_executable check | |||
| CVE-2026-46617 | high | — | 8.0 | 17d ago | Fission runtime pods automount the fission-fetcher service-account token into the user function container, granting function code namespace-wide secret / configmap read | |||
| CVE-2026-46612 | high | — | 8.0 | 17d ago | Fission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function archives | |||
| CVE-2026-46545 | high | — | 8.0 | 17d ago | nimiq-primitives: Panic DoS in trie chunk processing via ROOT-keyed item | |||
| CVE-2026-46517 | high | — | 8.0 | 17d ago | lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out | |||
| CVE-2026-46492 | high | — | 8.0 | 17d ago | md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed) | |||
| CVE-2026-46432 | high | — | 8.0 | 17d ago | LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization | |||
| CVE-2026-46490 | high | — | 8.0 | 17d ago | samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Assertions | |||
| CVE-2026-46481 | high | — | 8.0 | 17d ago | OpenMetadata: TEST_CONNECTION workflow leaks ingestion-bot JWT and database password to regular users | |||
| CVE-2026-45804 | high | — | 8.0 | 18d ago | Diffusers: TOCTOU Trust Remote Code Bypass | |||
| CVE-2026-45067 | high | — | 8.0 | 18d ago | Symfony has Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address | |||
| CVE-2026-45063 | high | — | 8.0 | 18d ago | Symfony Vulnerable to Identity Spoofing via Unanchored DN Regex in X509Authenticator | |||
| CVE-2026-46640 | high | — | 8.0 | 18d ago | Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation | |||
| CVE-2026-45077 | high | — | 8.0 | 18d ago | Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener | |||
| CVE-2026-46639 | high | — | 8.0 | 18d ago | Twig: Sandbox property and method bypass via object-destructuring assignment | |||
| CVE-2026-23401 | high | — | 8.0 | 19d ago | In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE When installing an emulated MMIO SPTE, do so *after*… | |||
| CVE-2026-22990 | high | — | 8.0 | 19d ago | In the Linux kernel, the following vulnerability has been resolved: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() If the osdmap is (maliciously) corrupted such that the incremen… | |||
| CVE-2026-22984 | high | — | 8.0 | 19d ago | In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in handle_auth_done() Perform an explicit bounds check on payload_len to avoid a p… | |||
| CVE-2026-46417 | high | — | 8.0 | 19d ago | @angular/platform-server: SSRF via Hostname Hijacking | |||
| CVE-2026-46415 | high | — | 8.0 | 19d ago | Caddy Defender trusted proxy client IP bypass | |||
| CVE-2026-46410 | high | — | 8.0 | 19d ago | FileBrowser Quantum: unauthenticated user share share info | |||
| CVE-2026-46374 | high | — | 8.0 | 19d ago | SQLFluff: Uncontrolled Resource Consumption in SQLFluff Parser | |||
| CVE-2026-46373 | high | — | 8.0 | 19d ago | SQLFluff: Recursive Stack Overflow in Parser | |||
| CVE-2026-46378 | high | — | 8.0 | 19d ago | Dasel: Denial of service in dasel selector lexer due to infinite loop on unterminated regex literal | |||
| CVE-2026-46377 | high | — | 8.0 | 19d ago | Dasel: Index-out-of-range panic in dasel selector lexer on trailing backslash in quoted string | |||
| CVE-2026-45783 | high | — | 8.0 | 19d ago | @libp2p/kad-dht: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes | |||
| CVE-2026-45805 | high | — | 8.0 | 19d ago | PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint — RCE | |||
| CVE-2026-45799 | high | — | 8.0 | 19d ago | Wire: skipGroup() missing negative-length check allows 10-byte payload to crash any Wire-decoding service | |||
| CVE-2026-45738 | high | — | 8.0 | 19d ago | Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation | |||
| CVE-2026-45713 | high | — | 8.0 | 19d ago | Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes | |||
| CVE-2026-45576 | high | — | 8.0 | 19d ago | zrok copy writes attacker-controlled WebDAV paths outside the destination root | |||
| CVE-2026-46511 | high | — | 8.0 | 19d ago | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSetti… | |||
| CVE-2026-46396 | high | — | 8.0 | 19d ago | HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of `<iframe>` el… | |||
| CVE-2026-46391 | high | — | 8.0 | 19d ago | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis, multiple functions conduct substring-only matching … | |||
| CVE-2026-46393 | high | — | 8.0 | 19d ago | HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 26.0.0 allows authenticated users to fetch … | |||
| CVE-2026-20664 | high | — | 8.0 | 20d ago | The issue was addressed with improved memory handling. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously crafted web content may le… | |||
| CVE-2026-3085 | high | — | 8.0 | 20d ago | GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Int… | |||
| CVE-2026-20608 | high | — | 8.0 | 20d ago | This issue was addressed through improved state management. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. Processing mal… | |||
| CVE-2026-20652 | high | — | 8.0 | 20d ago | The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. A remote attacker m… | |||
| CVE-2026-0672 | high | — | 8.0 | 20d ago | Important: python3.12 security update | |||
| CVE-2026-20636 | high | — | 8.0 | 20d ago | The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. Processing maliciously crafted web content may le… | |||
| CVE-2026-20643 | high | — | 8.0 | 20d ago | A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS, iPadOS, and macOS, Safari 26.4, iOS 18.7.7 an… | |||
| CVE-2026-20676 | high | — | 8.0 | 20d ago | This issue was addressed through improved state management. This issue is fixed in Safari 26.3, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. A website may be able to track users through… | |||
| CVE-2026-28859 | high | — | 8.0 | 20d ago | The issue was addressed with improved memory handling. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. A malicious website may … | |||
| CVE-2026-20691 | high | — | 8.0 | 20d ago | An authorization issue was addressed with improved state management. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4, watchOS 26.4. A maliciously crafted… | |||
| CVE-2026-28857 | high | — | 8.0 | 20d ago | The issue was addressed with improved memory handling. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously crafted web content may le… | |||
| CVE-2026-28871 | high | — | 8.0 | 20d ago | A logic issue was addressed with improved checks. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4. Visiting a maliciously crafted website … | |||
| CVE-2026-23950 | high | — | 8.0 | 20d ago | Important: linux-sgx security update | |||
| CVE-2026-1502 | high | — | 8.0 | 20d ago | Important: python3.12 security update | |||
| CVE-2026-4519 | high | — | 8.0 | 20d ago | Important: python3.12 security update | |||
| CVE-2026-2922 | high | — | 8.0 | 20d ago | Important: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-ugly-free security update | |||
| CVE-2026-2920 | high | — | 8.0 | 20d ago | RHSA-2026:6750: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good security update (Important) | |||
| CVE-2026-2297 | high | — | 8.0 | 20d ago | Important: python3.12 security update | |||
| CVE-2026-27137 | high | — | 8.0 | 20d ago | Incorrect enforcement of email constraints in crypto/x509 | |||
| CVE-2026-2923 | high | — | 8.0 | 20d ago | RHSA-2026:6750: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good security update (Important) | |||
| CVE-2026-32281 | high | — | 8.0 | 20d ago | Inefficient policy validation in crypto/x509 | |||
| CVE-2026-20644 | high | — | 8.0 | 20d ago | The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. Processing maliciou… | |||
| CVE-2026-2921 | high | — | 8.0 | 20d ago | RHSA-2026:6750: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good security update (Important) | |||
| CVE-2026-3082 | high | — | 8.0 | 20d ago | RHSA-2026:6750: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good security update (Important) | |||
| CVE-2026-23060 | high | — | 8.0 | 20d ago | Important: kernel security update |