CVEs from 2026
Total
14,786
critical
critical 1,335
high
high 5,004
medium
medium 4,828
low
low 503
% Critical
9.0%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 723
- firepower_threat_defense_software 310
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-33810 | high | — | 8.0 | 19d ago | When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affe… | |||
| CVE-2026-32281 | high | — | 8.0 | 19d ago | Inefficient policy validation in crypto/x509 | |||
| CVE-2026-3082 | high | — | 8.0 | 19d ago | RHSA-2026:6750: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good security update (Important) | |||
| CVE-2026-2923 | high | — | 8.0 | 19d ago | RHSA-2026:6750: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good security update (Important) | |||
| CVE-2026-2921 | high | — | 8.0 | 19d ago | RHSA-2026:6750: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good security update (Important) | |||
| CVE-2026-2920 | high | — | 8.0 | 19d ago | RHSA-2026:6750: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good security update (Important) | |||
| CVE-2026-24842 | high | — | 8.0 | 19d ago | Important: linux-sgx security update | |||
| CVE-2026-5713 | high | — | 8.0 | 19d ago | Important: python3.14 security update | |||
| CVE-2026-46520 | high | — | 8.0 | 19d ago | ImageMagick: Heap Buffer Over-Write in IPL decoder when reading multiple images of different dimensions | |||
| CVE-2026-45367 | high | — | 8.0 | 19d ago | HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint | |||
| CVE-2026-42306 | high | — | 8.0 | 19d ago | Docker: Race condition in docker cp allows bind mount redirection to host path | |||
| CVE-2026-45727 | high | — | 8.0 | 19d ago | CloakBrowser is a tool to bypass bot detection tests. Prior to version 0.3.28, the cloakserve CDP multiplexer uses the user-supplied fingerprint query parameter directly as a filesystem path componen… | |||
| CVE-2026-45325 | high | — | 8.0 | 19d ago | @tmlmobilidade/utils has prototype pollution in its setValueAtPath | |||
| CVE-2026-46385 | high | — | 8.0 | 19d ago | iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, the Avro array and map decoders looped over an attacker-controlled block-count value without checking the underlying reader's error state ins… | |||
| CVE-2026-45270 | high | — | 8.0 | 19d ago | CI4MS: Stored XSS in Pages Module Content via Broken html_purify Validation Rule | |||
| CVE-2026-46384 | high | — | 8.0 | 19d ago | iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, several Avro decoder paths read attacker-controlled 64-bit values from the wire format and either narrowed them to platform-sized int before … | |||
| CVE-2026-45135 | high | — | 8.0 | 19d ago | Caddy: Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP Files | |||
| CVE-2026-33416 | high | — | 8.0 | 20d ago | Important: thunderbird security update | |||
| CVE-2026-45363 | high | — | 8.0 | 20d ago | ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351 | |||
| CVE-2026-46491 | high | — | 8.0 | 22d ago | SimpleSAMLphp casserver FileSystemTicketStore path traversal allows out-of-ticket-directory read/unserialize and conditional deletion | |||
| CVE-2026-44692 | high | — | 8.0 | 22d ago | Authenticated Sharp users can download unrelated Laravel Storage objects through the generic download endpoint | |||
| CVE-2026-45062 | high | — | 8.0 | 22d ago | FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files | |||
| CVE-2026-44716 | high | — | 8.0 | 22d ago | Pipecat: Path Traversal in Pipecat Runner `/files` Endpoint — Arbitrary File Read via `%2F`-Encoded Separator | |||
| CVE-2026-44700 | high | — | 8.0 | 23d ago | ex_webrtc client-role handshake is missing DTLS peer fingerprint validation | |||
| CVE-2026-42327 | high | — | 8.0 | 23d ago | rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.7 to before 0.10.79, X509Ref::ocsp_responders returns OCSP responder URLs from a certificate's AIA extension as Open… | |||
| CVE-2026-45671 | high | 8.0 | 8.0 | 23d ago | Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion | |||
| CVE-2026-42570 | high | — | 8.0 | 23d ago | Svelte devalue: DoS via sparse array deserialization | |||
| CVE-2026-45371 | high | — | 8.0 | 23d ago | SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs | |||
| CVE-2026-44522 | high | — | 8.0 | 23d ago | Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leads to Remote Code Execution | |||
| CVE-2026-44541 | high | — | 8.0 | 23d ago | ethyca-fides has a DOM-based XSS vulnerability in fides.js via fides_description override | |||
| CVE-2026-45011 | high | — | 8.0 | 23d ago | Apostrophe has stored XSS via javascript: URL in Image Widget Link | |||
| CVE-2026-45013 | high | — | 8.0 | 23d ago | Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation | |||
| CVE-2026-45012 | high | — | 8.0 | 23d ago | Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget | |||
| CVE-2026-46480 | high | — | 8.0 | 23d ago | FlowiseAI: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover | |||
| CVE-2026-46479 | high | — | 8.0 | 23d ago | FlowiseAI: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover | |||
| CVE-2026-46478 | high | — | 8.0 | 23d ago | FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover | |||
| CVE-2026-46477 | high | — | 8.0 | 23d ago | FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover | |||
| CVE-2026-46476 | high | — | 8.0 | 23d ago | FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover | |||
| CVE-2026-46475 | high | — | 8.0 | 23d ago | FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover | |||
| CVE-2026-46444 | high | — | 8.0 | 23d ago | FlowiseAI: Vector Store No Permission Checks | |||
| CVE-2026-45732 | high | — | 8.0 | 23d ago | n8n Has a Cross-user Authorization Bypass in Dynamic Credential OAuth Endpoints | |||
| CVE-2026-44792 | high | — | 8.0 | 23d ago | n8n Has a Source Control Pull SQL Injection | |||
| CVE-2026-43978 | high | — | 8.0 | 23d ago | wger: Privilege escalation via trainer-login session chaining allows gym trainer to impersonate gym manager | |||
| CVE-2026-44504 | high | — | 8.0 | 23d ago | Aegra has cross-user run injection in /threads/{thread_id}/runs (IDOR) | |||
| CVE-2026-43977 | high | — | 8.0 | 23d ago | wger Vulnerable to IDOR: Authenticated Users Can Read Any User's Private Workout Session Data via Template Routine API | |||
| CVE-2026-46443 | high | — | 8.0 | 23d ago | FlowiseAI Vulnerable to Credential Data Leak | |||
| CVE-2026-46441 | high | — | 8.0 | 23d ago | FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment | |||
| CVE-2026-46440 | high | — | 8.0 | 23d ago | FlowiseAI Exposes Basic Auth Credentials via API | |||
| CVE-2026-42863 | high | — | 8.0 | 23d ago | FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment | |||
| CVE-2026-42862 | high | — | 8.0 | 23d ago | FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment | |||
| CVE-2026-42861 | high | — | 8.0 | 23d ago | FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment | |||
| CVE-2026-8468 | high | — | 8.0 | 23d ago | Plug: Unbounded buffer accumulation in multipart header parsing causes denial of service | |||
| CVE-2026-8466 | high | — | 8.0 | 24d ago | Cowboy: Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy | |||
| CVE-2026-43970 | high | — | 8.0 | 24d ago | Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion. cow_spdy:inflate/2 in cowlib… | |||
| CVE-2026-45793 | high | — | 8.0 | 25d ago | Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs | |||
| CVE-2026-39979 | high | — | 8.0 | 25d ago | Important: jq security update | |||
| CVE-2026-44232 | high | — | 8.0 | 25d ago | dssrf: every IPv6 category bypasses is_url_safe | |||
| CVE-2026-44184 | high | 8.0 | 8.0 | 25d ago | Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, Cleanuparr's global CORS policy refl… | |||
| CVE-2026-40368 | high | 8.0 | 8.0 | 25d ago | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | |||
| CVE-2026-34332 | high | 8.0 | 8.0 | 25d ago | Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to execute code over a network. | |||
| CVE-2026-4154 | high | — | 8.0 | 26d ago | Important: gimp security update | |||
| CVE-2026-4151 | high | — | 8.0 | 26d ago | Important: gimp security update | |||
| CVE-2026-4153 | high | — | 8.0 | 26d ago | Important: gimp security update | |||
| CVE-2026-4150 | high | — | 8.0 | 26d ago | Important: gimp security update | |||
| CVE-2026-4152 | high | — | 8.0 | 26d ago | Important: gimp security update | |||
| CVE-2026-43897 | high | — | 8.0 | 26d ago | link-preview-js vulnerable to IPv6 and internal loopback attacks | |||
| CVE-2026-44657 | high | — | 8.0 | 26d ago | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, using show_inline=1 parameter and a valid file_show_inline_token CSRF token on file_download.php, an attacker can execu… | |||
| CVE-2026-44655 | high | — | 8.0 | 26d ago | Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.3.0 to 2.28.1, unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator acces… | |||
| CVE-2026-42071 | high | — | 8.0 | 26d ago | Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 2.23.0 to 2.28.1, a missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to… | |||
| CVE-2026-40607 | high | — | 8.0 | 26d ago | MantisBT is Vulnerable to Stored XSS in Saved-Filter Owner Column | |||
| CVE-2026-40597 | high | — | 8.0 | 26d ago | MantisBT has a Content Security Policy bypass via attachments | |||
| CVE-2026-40596 | high | — | 8.0 | 26d ago | MantisBT is Vulnerable to XSS leading to account takeover via updating a user's font family preference | |||
| CVE-2026-34463 | high | — | 8.0 | 26d ago | MantisBT is Vulnerable to Stored HTML Injection/XSS in Clone Issue Form | |||
| CVE-2026-42856 | high | — | 8.0 | 26d ago | Network-AI missing authentication on MCP HTTP endpoint, which allows unauthenticated privileged tool calls | |||
| CVE-2026-41431 | high | 8.0 | 8.0 | 26d ago | Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser ships a Mozilla Application Resource (MAR) updater (org.mozilla.updater) that has had all MAR signature verification stripped from the Fi… | |||
| CVE-2026-4802 | high | 8.0 | 8.0 | 26d ago | A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links i… | |||
| CVE-2026-44499 | high | — | 8.0 | 29d ago | Zebra has Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning | |||
| CVE-2026-42274 | high | — | 8.0 | 1mo ago | Heimdall has an authorization bypass via path normalization mismatch | |||
| CVE-2026-42273 | high | — | 8.0 | 1mo ago | Heimdall: Case-sensitive host matching may lead to policy bypass | |||
| CVE-2026-42272 | high | — | 8.0 | 1mo ago | Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation | |||
| CVE-2026-44349 | high | — | 8.0 | 1mo ago | Daptin fuzzy search injects unvalidated column name into raw SQL | |||
| CVE-2026-41675 | high | — | 8.0 | 1mo ago | xmldom has XML node injection through unvalidated processing instruction serialization | |||
| CVE-2026-41674 | high | — | 8.0 | 1mo ago | xmldom has XML injection through unvalidated DocumentType serialization | |||
| CVE-2026-41673 | high | — | 8.0 | 1mo ago | xmldom: Uncontrolled recursion in XML serialization leads to DoS | |||
| CVE-2026-41672 | high | — | 8.0 | 1mo ago | xmldom has XML node injection through unvalidated comment serialization | |||
| CVE-2026-44503 | high | — | 8.0 | 1mo ago | Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect | |||
| CVE-2026-33636 | high | — | 8.0 | 1mo ago | Important: thunderbird security update | |||
| CVE-2026-46689 | high | — | 8.0 | 1mo ago | scim_proton and kanidm_proto have an authenticated process abort via SCIM filter stack exhaustion | |||
| CVE-2026-0897 | high | — | 8.0 | 1mo ago | Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (… | |||
| CVE-2026-42845 | high | — | 8.0 | 1mo ago | Grav Form Plugin has an Anonymous Page Content Overwrite via Form File Upload filename Override | |||
| CVE-2026-44307 | high | — | 8.0 | 1mo ago | Mako vulnerable to path traversal via backslash URI on Windows in TemplateLookup | |||
| CVE-2026-42548 | high | — | 8.0 | 1mo ago | Flight has reflected XSS through an unvalidated JSONP callback in Flight::jsonp() | |||
| CVE-2026-40171 | high | — | 8.0 | 1mo ago | In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 an… | |||
| CVE-2026-33079 | high | — | 8.0 | 1mo ago | Mistune has a ReDoS in LINK_TITLE_RE that allows denial of service via crafted Markdown input | |||
| CVE-2026-44012 | high | — | 8.0 | 1mo ago | Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure | |||
| CVE-2026-44011 | high | — | 8.0 | 1mo ago | Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior | |||
| CVE-2026-44010 | high | — | 8.0 | 1mo ago | Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure | |||
| CVE-2026-43885 | high | — | 8.0 | 1mo ago | AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization | |||
| CVE-2026-6970 | high | — | 8.0 | 1mo ago | authd: Primary group ID is incorrectly set to value of UID | |||
| CVE-2026-32689 | high | — | 8.0 | 1mo ago | Phoenix: Long-poll NDJSON body splitting causes large memory allocation |