CVEs from 2026
Total
14,769
critical
critical 1,335
high
high 5,011
medium
medium 4,834
low
low 504
% Critical
9.0%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 723
- firepower_threat_defense_software 310
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-20695 | unknown | — | — | 3mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28834 | unknown | — | — | 3mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-20607 | unknown | — | — | 3mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-20694 | unknown | — | — | 3mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-20701 | unknown | — | — | 3mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-20697 | unknown | — | — | 3mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28862 | unknown | — | — | 3mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-20698 | unknown | — | — | 3mo ago | visionOS 26.4 | |||
| CVE-2026-28890 | unknown | — | — | 3mo ago | Xcode 26.4 | |||
| CVE-2026-28889 | unknown | — | — | 3mo ago | Xcode 26.4 | |||
| CVE-2026-28818 | unknown | — | — | 3mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28821 | unknown | — | — | 3mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28825 | unknown | — | — | 3mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28828 | unknown | — | — | 3mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28832 | unknown | — | — | 3mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28837 | unknown | — | — | 3mo ago | macOS Tahoe 26.4 | |||
| CVE-2026-28839 | unknown | — | — | 3mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28841 | unknown | — | — | 3mo ago | macOS Tahoe 26.4 | |||
| CVE-2026-28858 | unknown | — | — | 3mo ago | iOS 26.4 and iPadOS 26.4 | |||
| CVE-2026-28875 | unknown | — | — | 3mo ago | iOS 26.4 and iPadOS 26.4 | |||
| CVE-2026-28888 | unknown | — | — | 3mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28891 | unknown | — | — | 3mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28892 | unknown | — | — | 3mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-33430 | unknown | — | — | 3mo ago | Briefcase: Windows MSI Installer Privilege Escalation via Insecure Directory Permissions | |||
| CVE-2026-4633 | unknown | — | — | 3mo ago | Keycloak's identity-first login flow exposes user information | |||
| CVE-2026-4628 | unknown | — | — | 3mo ago | Keycloak has Improper Access Control that allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false | |||
| CVE-2026-33497 | unknown | — | — | 3mo ago | langflow: /profile_pictures/{folder_name}/{file_name} endpoint file reading | |||
| CVE-2026-33413 | unknown | — | — | 3mo ago | etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call … | |||
| CVE-2026-33484 | unknown | — | — | 3mo ago | langflow has Unauthenticated IDOR on Image Downloads | |||
| CVE-2026-33343 | unknown | — | — | 3mo ago | etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use n… | |||
| CVE-2026-22737 | unknown | — | — | 3mo ago | Spring Framework Improper Path Limitation with Script View Templates | |||
| CVE-2026-22735 | unknown | — | — | 3mo ago | Spring MVC and WebFlux has Server Sent Event stream corruption | |||
| CVE-2026-22731 | unknown | — | — | 3mo ago | Spring Boot has an Authentication Bypass under Actuator Health groups paths | |||
| CVE-2026-22732 | unknown | — | — | 3mo ago | Spring Security HTTP Headers Are not Written Under Some Conditions | |||
| CVE-2026-22733 | unknown | — | — | 3mo ago | Spring Boot has an Authentication Bypass under Actuator CloudFoundry endpoints | |||
| CVE-2026-33322 | unknown | — | — | 3mo ago | MinIO has JWT Algorithm Confusion in OIDC Authentication in github.com/minio/minio | |||
| CVE-2026-33309 | unknown | — | — | 3mo ago | Langflow has an Arbitrary File Write (RCE) via v2 API | |||
| CVE-2026-27953 | unknown | — | — | 3mo ago | ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validat… | |||
| CVE-2026-33236 | unknown | — | — | 3mo ago | NLTK vulnerabilities | |||
| CVE-2026-33231 | unknown | — | — | 3mo ago | NLTK vulnerabilities | |||
| CVE-2026-33056 | unknown | — | — | 3mo ago | tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path t… | |||
| CVE-2026-32735 | unknown | — | — | 3mo ago | openapi-to-java-records-mustache-templates allows users to generate Java Records from OpenAPI specifications. Starting in version 5.1.1 and prior to version 5.5.1, the parent POM file of this project… | |||
| CVE-2026-33230 | unknown | — | — | 3mo ago | NLTK vulnerabilities | |||
| CVE-2026-33154 | unknown | — | — | 3mo ago | Dynaconf vulnerability | |||
| CVE-2026-33166 | unknown | — | — | 3mo ago | Allure Report has an Arbitrary File Read via Path Traversal in Attachment Processing (Allure 1, Allure 2, and XCTest Readers) | |||
| CVE-2026-33001 | unknown | — | — | 3mo ago | Jenkins has a link following vulnerability allows arbitrary file creation | |||
| CVE-2026-33003 | unknown | — | — | 3mo ago | Jenkins LoadNinja Plugin stores LoadNinja API keys unencrypted in job config.xml files | |||
| CVE-2026-33002 | unknown | — | — | 3mo ago | Jenkins has a DNS rebinding vulnerability in WebSocket CLI origin validation | |||
| CVE-2026-33004 | unknown | — | — | 3mo ago | Jenkins LoadNinja Plugin does not mask LoadNinja API keys displayed on the job configuration form | |||
| CVE-2026-32875 | unknown | — | — | 3mo ago | UltraJSON vulnerabilities | |||
| CVE-2026-32874 | unknown | — | — | 3mo ago | UltraJSON vulnerabilities | |||
| CVE-2026-33053 | unknown | — | — | 3mo ago | Langflow is Missing Ownership Verification in API Key Deletion (IDOR) | |||
| CVE-2026-22730 | unknown | — | — | 3mo ago | SQL Injection in Spring AI MariaDBFilterExpressionConverter | |||
| CVE-2026-22729 | unknown | — | — | 3mo ago | JSONPath Injection in Spring AI Vector Stores FilterExpressionConverter | |||
| CVE-2026-2092 | unknown | — | — | 3mo ago | Keycloak: Unauthorized access via improper validation of encrypted SAML assertions | |||
| CVE-2026-33012 | unknown | — | — | 3mo ago | Micronaut Framework vulnerable to a Denial of Service in HTML error response caching | |||
| CVE-2026-32636 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-17 and 6.9.13-42, the NewXMLTree method contains a bug that could result in a crash due t… | |||
| CVE-2026-33013 | unknown | — | — | 3mo ago | Micronaut vulnerable to DoS via crafted form-urlencoded body binding with descending array indices | |||
| CVE-2026-28563 | unknown | — | — | 3mo ago | Apache Airflow: DAG authorization bypass | |||
| CVE-2026-30911 | unknown | — | — | 3mo ago | Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization | |||
| CVE-2026-28779 | unknown | — | — | 3mo ago | Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications | |||
| CVE-2026-26929 | unknown | — | — | 3mo ago | Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata | |||
| CVE-2026-30405 | unknown | — | — | 3mo ago | An issue in GoBGP gobgpd v.4.2.0 allows a remote attacker to cause a denial of service via the NEXT_HOP path attribute | |||
| CVE-2026-32722 | unknown | — | — | 3mo ago | Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no esc… | |||
| CVE-2026-27459 | unknown | — | — | 3mo ago | pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value… | |||
| CVE-2026-28498 | unknown | — | — | 3mo ago | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation… | |||
| CVE-2026-28490 | unknown | — | — | 3mo ago | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning… | |||
| CVE-2026-27962 | unknown | — | — | 3mo ago | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attac… | |||
| CVE-2026-27448 | unknown | — | — | 3mo ago | pyOpenSSL vulnerability | |||
| CVE-2026-25534 | unknown | — | — | 3mo ago | Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames | |||
| CVE-2026-32640 | unknown | — | — | 3mo ago | SimpleEval vulnerability | |||
| CVE-2026-28356 | unknown | — | — | 3mo ago | multipart vulnerability | |||
| CVE-2026-32109 | unknown | — | — | 3mo ago | Copyparty has unexpected JavaScript execution via crafted URL to folder with `.prologue.html` | |||
| CVE-2026-32108 | unknown | — | — | 3mo ago | Copyparty ftp/sftp: Sharing a single file did not fully restrict source-folder access | |||
| CVE-2026-30937 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a 32-bit unsigned integer overflow in the XWD (X Windows) enco… | |||
| CVE-2026-30936 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a crafted image could cause an out of bounds heap write inside… | |||
| CVE-2026-30935 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16, BilateralBlurImage contains a heap buffer over-read caused by an incorrect c… | |||
| CVE-2026-30931 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16, a heap-based buffer overflow in the UHDR encoder can happen due to truncatio… | |||
| CVE-2026-30929 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, MagnifyImage uses a fixed-size stack buffer. When using a spec… | |||
| CVE-2026-28693 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an integer overflow in DIB coder can result in out of bounds r… | |||
| CVE-2026-28691 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an uninitialized pointer dereference vulnerability exists in t… | |||
| CVE-2026-28690 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a stack buffer overflow vulnerability exists in the MNG encode… | |||
| CVE-2026-28688 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a heap-use-after-free vulnerability exists in the MSL encoder,… | |||
| CVE-2026-28687 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a heap use-after-free vulnerability in ImageMagick's MSL decod… | |||
| CVE-2026-28686 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, A heap-buffer-overflow vulnerability exists in the PCL encode … | |||
| CVE-2026-28494 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a stack buffer overflow exists in ImageMagick's morphology ker… | |||
| CVE-2026-28493 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16, an integer overflow vulnerability exists in the SIXEL decoer. The vulnerabil… | |||
| CVE-2026-26284 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick lacks proper boundary checking when processing Huf… | |||
| CVE-2026-25986 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer overflow write vulnerability exists in ReadYUVIm… | |||
| CVE-2026-25982 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap out-of-bounds read vulnerability exists in the `coders/… | |||
| CVE-2026-25971 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, Magick fails to check for circular references between two MSLs… | |||
| CVE-2026-25970 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a signed integer overflow vulnerability in ImageMagick's SIXEL… | |||
| CVE-2026-25968 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a stack buffer overflow occurs when processing the an attribut… | |||
| CVE-2026-2366 | unknown | — | — | 3mo ago | Keycloak vulnerable to authorization bypass via the Admin API | |||
| CVE-2026-3429 | unknown | — | — | 3mo ago | Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API | |||
| CVE-2026-31853 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-16 and 6.9.13-41, an overflow on 32-bit systems can cause a crash in the SFW decoder when… | |||
| CVE-2026-30883 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an extremely large image profile could result in a heap overfl… | |||
| CVE-2026-28692 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, MAT decoder uses 32-bit arithmetic due to incorrect parenthesi… | |||
| CVE-2026-28689 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, domain="path" authorization is checked before final file open/… | |||
| CVE-2026-23907 | unknown | — | — | 3mo ago | Apache PDFBox has Path Traversal through PDComplexFileSpecification.getFilename() function |