CVEs from 2026
Total
14,787
critical
critical 1,335
high
high 5,005
medium
medium 4,828
low
low 503
% Critical
9.0%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 723
- firepower_threat_defense_software 310
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-21710 | high | — | 8.0 | 2mo ago | RHSA-2026:8339: nodejs:20 security update (Important) | |||
| CVE-2026-26996 | high | — | 8.0 | 2mo ago | RHSA-2026:8339: nodejs:20 security update (Important) | |||
| CVE-2026-2581 | high | — | 8.0 | 2mo ago | RHSA-2026:7670: nodejs:24 security update (Important) | |||
| CVE-2026-2229 | high | — | 8.0 | 2mo ago | RHSA-2026:7670: nodejs:24 security update (Important) | |||
| CVE-2026-1526 | high | — | 8.0 | 2mo ago | RHSA-2026:7670: nodejs:24 security update (Important) | |||
| CVE-2026-21716 | high | — | 8.0 | 2mo ago | RHSA-2026:7670: nodejs:24 security update (Important) | |||
| CVE-2026-1528 | high | — | 8.0 | 2mo ago | RHSA-2026:7670: nodejs:24 security update (Important) | |||
| CVE-2026-40070 | high | — | 8.0 | 2mo ago | bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths) | |||
| CVE-2026-30818 | high | 8.0 | 8.0 | 2mo ago | An OS command injection vulnerability in the dnsmasq module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to execute arbitrary code when a specially crafted configuration file… | |||
| CVE-2026-30815 | high | 8.0 | 8.0 | 2mo ago | An OS command injection vulnerability in the OpenVPN module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to execute system commands when a specially crafted configuration fil… | |||
| CVE-2026-30814 | high | 8.0 | 8.0 | 2mo ago | A stack-based buffer overflow in the tmpServer module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to trigger a segmentation fault and potentially execute arbitrary code via … | |||
| CVE-2026-34588 | high | — | 8.0 | 2mo ago | Important: openexr security update | |||
| CVE-2026-35611 | high | — | 8.0 | 2mo ago | Addressable has a Regular Expression Denial of Service in Addressable templates | |||
| CVE-2026-27784 | high | — | 8.0 | 2mo ago | Important: nginx security update | |||
| CVE-2026-27654 | high | — | 8.0 | 2mo ago | Important: nginx security update | |||
| CVE-2026-27651 | high | — | 8.0 | 2mo ago | Important: nginx security update | |||
| CVE-2026-32647 | high | — | 8.0 | 2mo ago | Important: nginx security update | |||
| CVE-2026-5684 | high | 8.0 | 8.0 | 2mo ago | A vulnerability was determined in Tenda CX12L 16.03.53.12. Affected by this issue is the function fromwebExcptypemanFilter of the file /goform/webExcptypemanFilter. Executing a manipulation of the ar… | |||
| CVE-2026-5683 | high | 8.0 | 8.0 | 2mo ago | A vulnerability was found in Tenda CX12L 16.03.53.12. Affected by this vulnerability is the function fromP2pListFilter of the file /goform/P2pListFilter. Performing a manipulation of the argument pag… | |||
| CVE-2026-4177 | high | — | 8.0 | 2mo ago | RHSA-2026:6470: perl-YAML-Syck security update (Important) | |||
| CVE-2026-34230 | high | — | 8.0 | 2mo ago | Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header | |||
| CVE-2026-34829 | high | — | 8.0 | 2mo ago | Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads | |||
| CVE-2026-34827 | high | — | 8.0 | 2mo ago | Rack's multipart header parsing allows Denial of Service via escape-heavy quoted parameters | |||
| CVE-2026-34785 | high | — | 8.0 | 2mo ago | Rack::Static prefix matching can expose unintended files under the static root | |||
| CVE-2026-34825 | high | — | 8.0 | 2mo ago | NocoBase Has SQL Injection via template variable substitution in workflow SQL node | |||
| CVE-2026-31806 | high | — | 8.0 | 2mo ago | RHSA-2026:6918: freerdp security update (Important) | |||
| CVE-2026-24676 | high | — | 8.0 | 2mo ago | RHSA-2026:6918: freerdp security update (Important) | |||
| CVE-2026-22856 | high | — | 8.0 | 2mo ago | RHSA-2026:6918: freerdp security update (Important) | |||
| CVE-2026-22854 | high | — | 8.0 | 2mo ago | RHSA-2026:6918: freerdp security update (Important) | |||
| CVE-2026-24684 | high | — | 8.0 | 2mo ago | RHSA-2026:6918: freerdp security update (Important) | |||
| CVE-2026-23948 | high | — | 8.0 | 2mo ago | RHSA-2026:6918: freerdp security update (Important) | |||
| CVE-2026-22852 | high | — | 8.0 | 2mo ago | RHSA-2026:6918: freerdp security update (Important) | |||
| CVE-2026-23732 | high | — | 8.0 | 2mo ago | RHSA-2026:6918: freerdp security update (Important) | |||
| CVE-2026-24679 | high | — | 8.0 | 2mo ago | RHSA-2026:6918: freerdp security update (Important) | |||
| CVE-2026-24675 | high | — | 8.0 | 2mo ago | RHSA-2026:6918: freerdp security update (Important) | |||
| CVE-2026-24491 | high | — | 8.0 | 2mo ago | RHSA-2026:6918: freerdp security update (Important) | |||
| CVE-2026-24683 | high | — | 8.0 | 2mo ago | RHSA-2026:6918: freerdp security update (Important) | |||
| CVE-2026-24681 | high | — | 8.0 | 2mo ago | RHSA-2026:6918: freerdp security update (Important) | |||
| CVE-2026-33526 | high | — | 8.0 | 2mo ago | RHSA-2026:8317: squid:4 security update (Important) | |||
| CVE-2026-32748 | high | — | 8.0 | 2mo ago | RHSA-2026:8317: squid:4 security update (Important) | |||
| CVE-2026-4371 | high | — | 8.0 | 2mo ago | RHSA-2026:6917: thunderbird security update (Important) | |||
| CVE-2026-26965 | high | — | 8.0 | 2mo ago | RHSA-2026:6005: freerdp security update (Important) | |||
| CVE-2026-3889 | high | — | 8.0 | 2mo ago | RHSA-2026:6917: thunderbird security update (Important) | |||
| CVE-2026-26955 | high | — | 8.0 | 2mo ago | RHSA-2026:6005: freerdp security update (Important) | |||
| CVE-2026-34040 | high | — | 8.0 | 2mo ago | Moby has AuthZ plugin bypass when provided oversized request bodies | |||
| CVE-2026-28377 | high | — | 8.0 | 2mo ago | Grafana Tempo has Inadequate Encryption Strength | |||
| CVE-2026-4717 | high | — | 8.0 | 2mo ago | Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4714 | high | — | 8.0 | 2mo ago | Incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4713 | high | — | 8.0 | 2mo ago | Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4712 | high | — | 8.0 | 2mo ago | Information disclosure in the Widget: Cocoa component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4710 | high | — | 8.0 | 2mo ago | Incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4707 | high | — | 8.0 | 2mo ago | Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4706 | high | — | 8.0 | 2mo ago | Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4705 | high | — | 8.0 | 2mo ago | Undefined behavior in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4704 | high | — | 8.0 | 2mo ago | Denial-of-service in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4711 | high | — | 8.0 | 2mo ago | Use-after-free in the Widget: Cocoa component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4701 | high | — | 8.0 | 2mo ago | Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4699 | high | — | 8.0 | 2mo ago | Incorrect boundary conditions in the Layout: Text and Fonts component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4694 | high | — | 8.0 | 2mo ago | Incorrect boundary conditions, integer overflow in the Graphics component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4693 | high | — | 8.0 | 2mo ago | Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4692 | high | — | 8.0 | 2mo ago | Sandbox escape in the Responsive Design Mode component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4691 | high | — | 8.0 | 2mo ago | Use-after-free in the CSS Parsing and Computation component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4700 | high | — | 8.0 | 2mo ago | Mitigation bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4690 | high | — | 8.0 | 2mo ago | Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and … | |||
| CVE-2026-4689 | high | — | 8.0 | 2mo ago | Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and … | |||
| CVE-2026-4688 | high | — | 8.0 | 2mo ago | Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4696 | high | — | 8.0 | 2mo ago | Use-after-free in the Layout: Text and Fonts component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4687 | high | — | 8.0 | 2mo ago | Sandbox escape due to incorrect boundary conditions in the Telemetry component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 14… | |||
| CVE-2026-4686 | high | — | 8.0 | 2mo ago | Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4685 | high | — | 8.0 | 2mo ago | Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4721 | high | — | 8.0 | 2mo ago | Memory safety bugs present in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume tha… | |||
| CVE-2026-4702 | high | — | 8.0 | 2mo ago | JIT miscompilation in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4709 | high | — | 8.0 | 2mo ago | Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4684 | high | — | 8.0 | 2mo ago | Race condition, use-after-free in the Graphics: WebRender component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4718 | high | — | 8.0 | 2mo ago | Undefined behavior in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4708 | high | — | 8.0 | 2mo ago | Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4720 | high | — | 8.0 | 2mo ago | Memory safety bugs present in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort… | |||
| CVE-2026-4719 | high | — | 8.0 | 2mo ago | Incorrect boundary conditions in the Graphics: Text component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4716 | high | — | 8.0 | 2mo ago | Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4715 | high | — | 8.0 | 2mo ago | Uninitialized memory in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4697 | high | — | 8.0 | 2mo ago | Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4695 | high | — | 8.0 | 2mo ago | Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-33195 | high | — | 8.0 | 3mo ago | Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the … | |||
| CVE-2026-33492 | high | — | 8.0 | 3mo ago | AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration | |||
| CVE-2026-33485 | high | — | 8.0 | 3mo ago | AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter | |||
| CVE-2026-4427 | high | — | 8.0 | 3mo ago | RHSA-2026:22714: osbuild-composer security update (Important) | |||
| CVE-2026-33210 | high | — | 8.0 | 3mo ago | Important: ruby:4.0 security update | |||
| CVE-2026-2603 | high | — | 8.0 | 3mo ago | Keycloak: Unauthorized authentication via disabled SAML Identity Provider | |||
| CVE-2026-32933 | high | — | 8.0 | 3mo ago | AutoMapper Vulnerable to Denial of Service (DoS) via Uncontrolled Recursion | |||
| CVE-2026-26130 | high | — | 8.0 | 3mo ago | RHSA-2026:4458: .NET 10.0 security update (Important) | |||
| CVE-2026-26127 | high | — | 8.0 | 3mo ago | RHSA-2026:4458: .NET 10.0 security update (Important) | |||
| CVE-2026-28229 | high | — | 8.0 | 3mo ago | Unauthorized access to Argo Workflows Template | |||
| CVE-2026-2045 | high | — | 8.0 | 3mo ago | RHSA-2026:5113: gimp:2.8 security update (Important) | |||
| CVE-2026-2047 | high | — | 8.0 | 3mo ago | Important: gimp security update | |||
| CVE-2026-0797 | high | — | 8.0 | 3mo ago | RHSA-2026:5113: gimp:2.8 security update (Important) | |||
| CVE-2026-2048 | high | — | 8.0 | 3mo ago | RHSA-2026:5113: gimp:2.8 security update (Important) | |||
| CVE-2026-2044 | high | — | 8.0 | 3mo ago | RHSA-2026:5113: gimp:2.8 security update (Important) | |||
| CVE-2026-2005 | high | — | 8.0 | 3mo ago | RHSA-2026:4064: postgresql:12 security update (Important) | |||
| CVE-2026-2006 | high | — | 8.0 | 3mo ago | RHSA-2026:4064: postgresql:12 security update (Important) | |||
| CVE-2026-2004 | high | — | 8.0 | 3mo ago | RHSA-2026:4064: postgresql:12 security update (Important) |