CVEs from 2026
Total
14,770
critical
critical 1,335
high
high 5,012
medium
medium 4,834
low
low 504
% Critical
9.0%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 723
- firepower_threat_defense_software 310
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-34078 | high | — | 8.0 | 11d ago | Important: flatpak security update | |||
| CVE-2026-45725 | high | — | 8.0 | 11d ago | compliance-trestle Remote Fetching Mechanism has an Arbitrary File Write via Cache Path Traversal | |||
| CVE-2026-47717 | high | — | 8.0 | 11d ago | FUXA's Unauthenticated Project Data Disclosure Exposes Server-Side Scripts and Device Configurations | |||
| CVE-2026-47243 | high | — | 8.0 | 11d ago | Kata guest escape: runtime-rs guest-root to host-root escape via virtiofs | |||
| CVE-2026-45704 | high | — | 8.0 | 11d ago | Pimcore has a CustomReports Share Bypass | |||
| CVE-2026-44982 | high | — | 8.0 | 11d ago | CrowdSec AppSec silently drops request body for chunked / HTTP-2 requests | |||
| CVE-2026-44726 | high | — | 8.0 | 11d ago | Deno's TLS retry copies stale upgrade hook, risking plaintext traffic | |||
| CVE-2026-45617 | high | — | 8.0 | 11d ago | LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex | |||
| CVE-2026-45368 | high | — | 8.0 | 11d ago | Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend | |||
| CVE-2026-45357 | high | — | 8.0 | 11d ago | LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime) | |||
| CVE-2026-42553 | high | — | 8.0 | 11d ago | Cinny is a Matrix client. Prior to 4.10.3, A remote authenticated attacker who shares a room with a victim and has permissions to create room emotes (for example in a DM) can cause the victim's clien… | |||
| CVE-2026-45260 | high | — | 8.0 | 11d ago | Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling | |||
| CVE-2026-45162 | high | — | 8.0 | 11d ago | Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction | |||
| CVE-2026-3012 | high | 8.0 | 8.0 | 12d ago | Samba vulnerabilities | |||
| CVE-2026-44974 | high | — | 8.0 | 12d ago | @hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters | |||
| CVE-2026-44741 | high | — | 8.0 | 12d ago | Pimcore Admin Classic Bundle Vulnerable to SQL Injection in Translation Grid Date Filter via Unsanitized Property Parameter | |||
| CVE-2026-44739 | high | — | 8.0 | 12d ago | Pimcore Vulnerable to SQL Injection in Custom Reports Column Configuration | |||
| CVE-2026-44705 | high | — | 8.0 | 12d ago | tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape | |||
| CVE-2026-34043 | high | — | 8.0 | 12d ago | RHSA-2026:21291: .NET 8.0 security update (Important) | |||
| CVE-2026-44177 | high | — | 8.0 | 12d ago | Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookup | |||
| CVE-2026-44175 | high | — | 8.0 | 12d ago | Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontend | |||
| CVE-2026-44174 | high | — | 8.0 | 12d ago | Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query Endpoints | |||
| CVE-2026-43947 | high | — | 8.0 | 12d ago | FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass | |||
| CVE-2026-43946 | high | — | 8.0 | 12d ago | FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue | |||
| CVE-2026-43945 | high | — | 8.0 | 12d ago | FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection | |||
| CVE-2026-42462 | high | — | 8.0 | 12d ago | Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring | |||
| CVE-2026-42089 | high | — | 8.0 | 12d ago | yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation | |||
| CVE-2026-44895 | high | — | 8.0 | 12d ago | GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships with no authentication layer at all and a wildcard Access-Control-Allow-Origin… | |||
| CVE-2026-48048 | high | — | 8.0 | 12d ago | XWiki Platform's Livetable results still allow reconstructing password hashes using 768 requests | |||
| CVE-2026-8834 | high | 8.0 | 8.0 | 12d ago | IBM HTTP Server 8.5, and 9.0 contains a buffer overflow vulnerability. A privileged user, authenticated to the Administration Server, could exploit this vulnerability to execute remote code or cause … | |||
| CVE-2026-42014 | high | — | 8.0 | 13d ago | GnuTLS vulnerabilities | |||
| CVE-2026-47138 | high | — | 8.0 | 16d ago | Parse Server: Pre-authentication denial of service via client version header regex backtracking | |||
| CVE-2026-46717 | high | — | 8.0 | 16d ago | Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification | |||
| CVE-2026-46701 | high | — | 8.0 | 17d ago | Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret | |||
| CVE-2026-46681 | high | — | 8.0 | 17d ago | @nevware21/ts-utils: Prototype Pollution in objDeepCopy/objCopyProps via for...in without hasOwnProperty | |||
| CVE-2026-46680 | high | — | 8.0 | 17d ago | containerd user ID handling bypass allows runAsNonRoot evasion | |||
| CVE-2026-46679 | high | — | 8.0 | 17d ago | js-libp2p: Memory DoS via subscription flood of unique topics | |||
| CVE-2026-46625 | high | — | 8.0 | 17d ago | JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection | |||
| CVE-2026-46673 | high | — | 8.0 | 17d ago | Unbounded 32-bit allocation | |||
| CVE-2026-46519 | high | — | 8.0 | 17d ago | MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement | |||
| CVE-2026-46654 | high | — | 8.0 | 17d ago | Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss | |||
| CVE-2026-46643 | high | — | 8.0 | 17d ago | Snappy: Binary path is never shell-escaped due to an inverted is_executable check | |||
| CVE-2026-46617 | high | — | 8.0 | 17d ago | Fission runtime pods automount the fission-fetcher service-account token into the user function container, granting function code namespace-wide secret / configmap read | |||
| CVE-2026-46612 | high | — | 8.0 | 17d ago | Fission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function archives | |||
| CVE-2026-46545 | high | — | 8.0 | 17d ago | nimiq-primitives: Panic DoS in trie chunk processing via ROOT-keyed item | |||
| CVE-2026-46517 | high | — | 8.0 | 17d ago | lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out | |||
| CVE-2026-46492 | high | — | 8.0 | 17d ago | md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed) | |||
| CVE-2026-46432 | high | — | 8.0 | 17d ago | LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization | |||
| CVE-2026-46490 | high | — | 8.0 | 17d ago | samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Assertions | |||
| CVE-2026-46481 | high | — | 8.0 | 17d ago | OpenMetadata: TEST_CONNECTION workflow leaks ingestion-bot JWT and database password to regular users | |||
| CVE-2026-45804 | high | — | 8.0 | 18d ago | Diffusers: TOCTOU Trust Remote Code Bypass | |||
| CVE-2026-45077 | high | — | 8.0 | 19d ago | Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener | |||
| CVE-2026-45067 | high | — | 8.0 | 19d ago | Symfony has Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address | |||
| CVE-2026-45063 | high | — | 8.0 | 19d ago | Symfony Vulnerable to Identity Spoofing via Unanchored DN Regex in X509Authenticator | |||
| CVE-2026-46640 | high | — | 8.0 | 19d ago | Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation | |||
| CVE-2026-46639 | high | — | 8.0 | 19d ago | Twig: Sandbox property and method bypass via object-destructuring assignment | |||
| CVE-2026-23401 | high | — | 8.0 | 19d ago | In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE When installing an emulated MMIO SPTE, do so *after*… | |||
| CVE-2026-22984 | high | — | 8.0 | 19d ago | Linux kernel (Azure) vulnerabilities | |||
| CVE-2026-22990 | high | — | 8.0 | 19d ago | Linux kernel (Azure) vulnerabilities | |||
| CVE-2026-46417 | high | — | 8.0 | 19d ago | @angular/platform-server: SSRF via Hostname Hijacking | |||
| CVE-2026-46415 | high | — | 8.0 | 19d ago | Caddy Defender trusted proxy client IP bypass | |||
| CVE-2026-46410 | high | — | 8.0 | 19d ago | FileBrowser Quantum: unauthenticated user share share info | |||
| CVE-2026-46374 | high | — | 8.0 | 19d ago | SQLFluff: Uncontrolled Resource Consumption in SQLFluff Parser | |||
| CVE-2026-46373 | high | — | 8.0 | 19d ago | SQLFluff: Recursive Stack Overflow in Parser | |||
| CVE-2026-46378 | high | — | 8.0 | 19d ago | Dasel: Denial of service in dasel selector lexer due to infinite loop on unterminated regex literal | |||
| CVE-2026-46377 | high | — | 8.0 | 19d ago | Dasel: Index-out-of-range panic in dasel selector lexer on trailing backslash in quoted string | |||
| CVE-2026-45783 | high | — | 8.0 | 19d ago | @libp2p/kad-dht: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes | |||
| CVE-2026-45805 | high | — | 8.0 | 19d ago | PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint — RCE | |||
| CVE-2026-45799 | high | — | 8.0 | 19d ago | Wire: skipGroup() missing negative-length check allows 10-byte payload to crash any Wire-decoding service | |||
| CVE-2026-45738 | high | — | 8.0 | 19d ago | Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation | |||
| CVE-2026-45713 | high | — | 8.0 | 19d ago | Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes | |||
| CVE-2026-45576 | high | — | 8.0 | 19d ago | zrok copy writes attacker-controlled WebDAV paths outside the destination root | |||
| CVE-2026-46511 | high | — | 8.0 | 19d ago | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSetti… | |||
| CVE-2026-46396 | high | — | 8.0 | 19d ago | HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of `<iframe>` el… | |||
| CVE-2026-46391 | high | — | 8.0 | 19d ago | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis, multiple functions conduct substring-only matching … | |||
| CVE-2026-46393 | high | — | 8.0 | 19d ago | HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 26.0.0 allows authenticated users to fetch … | |||
| CVE-2026-20636 | high | — | 8.0 | 20d ago | WebKitGTK vulnerabilities | |||
| CVE-2026-20643 | high | — | 8.0 | 20d ago | WebKitGTK vulnerabilities | |||
| CVE-2026-2921 | high | — | 8.0 | 20d ago | GStreamer Base Plugins vulnerability | |||
| CVE-2026-33984 | high | — | 8.0 | 20d ago | Important: freerdp security update | |||
| CVE-2026-2923 | high | — | 8.0 | 20d ago | RHSA-2026:6750: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good security update (Important) | |||
| CVE-2026-3082 | high | — | 8.0 | 20d ago | RHSA-2026:6750: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good security update (Important) | |||
| CVE-2026-20644 | high | — | 8.0 | 20d ago | WebKitGTK vulnerabilities | |||
| CVE-2026-20652 | high | — | 8.0 | 20d ago | WebKitGTK vulnerabilities | |||
| CVE-2026-20608 | high | — | 8.0 | 20d ago | WebKitGTK vulnerabilities | |||
| CVE-2026-20676 | high | — | 8.0 | 20d ago | WebKitGTK vulnerabilities | |||
| CVE-2026-20691 | high | — | 8.0 | 20d ago | WebKitGTK vulnerabilities | |||
| CVE-2026-20635 | high | — | 8.0 | 20d ago | WebKitGTK vulnerabilities | |||
| CVE-2026-2297 | high | — | 8.0 | 20d ago | Important: python3.12 security update | |||
| CVE-2026-2922 | high | — | 8.0 | 20d ago | Important: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-ugly-free security update | |||
| CVE-2026-33810 | high | — | 8.0 | 20d ago | When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affe… | |||
| CVE-2026-4519 | high | — | 8.0 | 20d ago | Important: python3.12 security update | |||
| CVE-2026-23060 | high | — | 8.0 | 20d ago | Linux kernel (BlueField) vulnerabilities | |||
| CVE-2026-23950 | high | — | 8.0 | 20d ago | Important: linux-sgx security update | |||
| CVE-2026-23745 | high | — | 8.0 | 20d ago | Important: linux-sgx security update | |||
| CVE-2026-20665 | high | — | 8.0 | 20d ago | WebKitGTK vulnerabilities | |||
| CVE-2026-5713 | high | — | 8.0 | 20d ago | Important: python3.14 security update | |||
| CVE-2026-3083 | high | — | 8.0 | 20d ago | GStreamer rtpqdm2depay Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interactio… | |||
| CVE-2026-28871 | high | — | 8.0 | 20d ago | WebKitGTK vulnerabilities | |||
| CVE-2026-20664 | high | — | 8.0 | 20d ago | WebKitGTK vulnerabilities |