CVEs from 2026
Total
14,785
critical
critical 1,335
high
high 5,005
medium
medium 4,828
low
low 503
% Critical
9.0%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 723
- firepower_threat_defense_software 310
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-1180 | unknown | — | — | 5mo ago | Keycloak’s OpenID Connect Dynamic Client Registration feature affected by Server-Side Request Forgery (SSRF) | |||
| CVE-2026-26216 | unknown | — | — | 5mo ago | Crawl4AI is Vulnerable to Remote Code Execution in Docker API via Hooks Parameter | |||
| CVE-2026-26217 | unknown | — | — | 5mo ago | Crawl4AI Has Local File Inclusion in Docker API via file:// URLs | |||
| CVE-2026-23528 | unknown | — | — | 5mo ago | Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which wi… | |||
| CVE-2026-1002 | unknown | — | — | 5mo ago | Vert.x Web static handler component cache can be manipulated to deny the access to static files | |||
| CVE-2026-0976 | unknown | — | — | 5mo ago | Keycloak has an improper input validation vulnerability | |||
| CVE-2026-22036 | unknown | — | — | 5mo ago | Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert tho… | |||
| CVE-2026-22772 | unknown | — | — | 5mo ago | Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio's metaRegex() function uses unanchored regex, allowing attackers … | |||
| CVE-2026-22702 | unknown | — | — | 5mo ago | virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform sym… | |||
| CVE-2026-22701 | unknown | — | — | 5mo ago | filelock is a platform-independent file lock for Python. Prior to version 3.20.3, a TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker … | |||
| CVE-2026-22703 | unknown | — | — | 5mo ago | Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Reko… | |||
| CVE-2026-0707 | unknown | — | — | 5mo ago | Keycloak has Incorrect Behavior Order: Authorization Before Parsing and Canonicalization | |||
| CVE-2026-22187 | unknown | — | — | 5mo ago | Bio-Formats performs unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing | |||
| CVE-2026-22186 | unknown | — | — | 5mo ago | Bio-Formats has an XML External Entity (XXE) vulnerability | |||
| CVE-2026-22244 | unknown | — | — | 5mo ago | OpenMetadata's Server-Side Template Injection (SSTI) in FreeMarker email templates leads to RCE | |||
| CVE-2026-21885 | unknown | — | — | 5mo ago | Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SS… | |||
| CVE-2026-21892 | unknown | — | — | 5mo ago | Parsl is a Python parallel scripting library. A SQL Injection vulnerability exists in the parsl-visualize component of versions prior to 2026.01.05. The application constructs SQL queries using unsaf… | |||
| CVE-2026-21452 | unknown | — | — | 5mo ago | MessagePack for Java Vulnerable to Remote DoS via Malicious EXT Payload Allocation | |||
| CVE-2026-0810 | unknown | — | — | 5mo ago | A flaw was found in gix-date. The `gix_date::parse::TimeBuf::as_str` function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the `T… |