CVEs from 2026
Total
14,770
critical
critical 1,335
high
high 5,012
medium
medium 4,834
low
low 504
% Critical
9.0%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 723
- firepower_threat_defense_software 310
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-0846 | unknown | — | — | 3mo ago | NLTK vulnerabilities | |||
| CVE-2026-24713 | unknown | — | — | 3mo ago | Apache IoTDB has an Improper Input Validation vulnerability | |||
| CVE-2026-24015 | unknown | — | — | 3mo ago | Apache IoTDB has an Insecure Default Configuration Vulnerability | |||
| CVE-2026-24308 | unknown | — | — | 3mo ago | Apache ZooKeeper has improper handling of configuration values | |||
| CVE-2026-24281 | unknown | — | — | 3mo ago | Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager | |||
| CVE-2026-27142 | unknown | — | — | 3mo ago | Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG set… | |||
| CVE-2026-27139 | unknown | — | — | 3mo ago | On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impac… | |||
| CVE-2026-27138 | unknown | — | — | 3mo ago | Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either di… | |||
| CVE-2026-3047 | unknown | — | — | 3mo ago | Keycloak SAML Broken has Authentication Bypass by Primary Weakness | |||
| CVE-2026-3009 | unknown | — | — | 3mo ago | Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator | |||
| CVE-2026-1605 | unknown | — | — | 3mo ago | The Eclipse Jetty Server Artifact has a Gzip request memory leak | |||
| CVE-2026-0848 | unknown | — | — | 3mo ago | NLTK vulnerabilities | |||
| CVE-2026-28277 | unknown | — | — | 3mo ago | LangGraph checkpoint loading has unsafe msgpack deserialization | |||
| CVE-2026-27982 | unknown | — | — | 3mo ago | django-allauth has an open redirect vulnerability | |||
| CVE-2026-29000 | unknown | — | — | 3mo ago | pac4j-jwt: JwtAuthenticator Authentication Bypass via JWE-Wrapped PlainJWT | |||
| CVE-2026-29062 | unknown | — | — | 3mo ago | jackson-core has Nesting Depth Constraint Bypass in `UTF8DataInputJsonParser` potentially allowing Resource Exhaustion | |||
| CVE-2026-28802 | unknown | — | — | 3mo ago | Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an emp… | |||
| CVE-2026-3351 | unknown | — | — | 3mo ago | Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd se… | |||
| CVE-2026-0540 | unknown | — | — | 3mo ago | DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five … | |||
| CVE-2026-25674 | unknown | — | — | 3mo ago | An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file s… | |||
| CVE-2026-25673 | unknown | — | — | 3mo ago | An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows t… | |||
| CVE-2026-27932 | unknown | — | — | 3mo ago | joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In 1.6.2 and earlier, a resource exhaustion vulnerability in joserfc allows… | |||
| CVE-2026-28416 | unknown | — | — | 3mo ago | Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing | |||
| CVE-2026-28415 | unknown | — | — | 3mo ago | Gradio has an Open Redirect in its OAuth Flow | |||
| CVE-2026-28414 | unknown | — | — | 3mo ago | Gradio is Vulnerable to Absolute Path Traversal on Windows with Python 3.13+ | |||
| CVE-2026-27167 | unknown | — | — | 3mo ago | Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret | |||
| CVE-2026-28338 | unknown | — | — | 3mo ago | PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages | |||
| CVE-2026-28208 | unknown | — | — | 3mo ago | Junrar has an arbitrary file write due to backslash Path Traversal bypass in LocalFolderExtractor on Linux/Unix | |||
| CVE-2026-21619 | unknown | — | — | 3mo ago | Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Obje… | |||
| CVE-2026-0871 | unknown | — | — | 3mo ago | Keycloak Server Private SPI: Improper Access Control Allows Administrators to Bypass Attribute Visibility Restrictions and Modify Unmanaged User Profile Attributes | |||
| CVE-2026-27141 | unknown | — | — | 3mo ago | Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic | |||
| CVE-2026-27799 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability exists in the DJVU image… | |||
| CVE-2026-27798 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability occurs when processing a… | |||
| CVE-2026-27830 | unknown | — | — | 3mo ago | c3p0 vulnerable to Remote Code Execution via unsafe deserialization of userOverridesAsString property | |||
| CVE-2026-27727 | unknown | — | — | 3mo ago | mchange-commons-java: Remote Code Execution via JNDI Reference Resolution | |||
| CVE-2026-27571 | unknown | — | — | 3mo ago | NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated comp… | |||
| CVE-2026-26983 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the MSL interpreter crashes when processing a invalid `<map>` … | |||
| CVE-2026-26283 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a `continue` statement in the JPEG extent binary search loop i… | |||
| CVE-2026-26066 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted profile contain invalid IPTC data may cause an infin… | |||
| CVE-2026-25989 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file can cause a denial of service. An off-by-on… | |||
| CVE-2026-25988 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, sometimes msl.c fails to update the stack index, so an image i… | |||
| CVE-2026-25987 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability exists in the MAP image … | |||
| CVE-2026-25985 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file containing an malicious element causes Imag… | |||
| CVE-2026-25983 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted MSL script triggers a heap-use-after-free. The opera… | |||
| CVE-2026-25969 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-15, a memory leak exists in `coders/ashlar.c`. The `WriteASHLARImage` allocates a… | |||
| CVE-2026-25967 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-15, a stack-based buffer overflow exists in the ImageMagick FTXT image reader. A … | |||
| CVE-2026-25966 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. The shipped "secure" security policy includes a rule intended to prevent reading/writing from standard s… | |||
| CVE-2026-25965 | unknown | — | — | 3mo ago | ImageMagick vulnerabilities | |||
| CVE-2026-25898 | unknown | — | — | 3mo ago | ImageMagick vulnerabilities | |||
| CVE-2026-25897 | unknown | — | — | 3mo ago | ImageMagick vulnerabilities | |||
| CVE-2026-25799 | unknown | — | — | 3mo ago | ImageMagick vulnerabilities | |||
| CVE-2026-25798 | unknown | — | — | 3mo ago | ImageMagick vulnerabilities | |||
| CVE-2026-25797 | unknown | — | — | 3mo ago | ImageMagick vulnerabilities | |||
| CVE-2026-25796 | unknown | — | — | 3mo ago | ImageMagick vulnerabilities | |||
| CVE-2026-25795 | unknown | — | — | 3mo ago | ImageMagick vulnerabilities | |||
| CVE-2026-25794 | unknown | — | — | 3mo ago | ImageMagick vulnerabilities | |||
| CVE-2026-25638 | unknown | — | — | 3mo ago | ImageMagick vulnerabilities | |||
| CVE-2026-25637 | unknown | — | — | 3mo ago | ImageMagick vulnerabilities | |||
| CVE-2026-25576 | unknown | — | — | 3mo ago | ImageMagick vulnerabilities | |||
| CVE-2026-24485 | unknown | — | — | 3mo ago | ImageMagick vulnerabilities | |||
| CVE-2026-24484 | unknown | — | — | 3mo ago | ImageMagick vulnerabilities | |||
| CVE-2026-24481 | unknown | — | — | 3mo ago | ImageMagick vulnerabilities | |||
| CVE-2026-26198 | unknown | — | — | 3mo ago | Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into `sq… | |||
| CVE-2026-25747 | unknown | — | — | 4mo ago | Apache Camel Deserializes Untrusted Data in its LevelDB Component | |||
| CVE-2026-23552 | unknown | — | — | 4mo ago | Apache Camel: KeycloakSecurityPolicy does not validate issuer of JWT tokens against configured realm | |||
| CVE-2026-21620 | unknown | — | — | 4mo ago | Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file module… | |||
| CVE-2026-24122 | unknown | — | — | 4mo ago | Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a validity that expires before the leaf certificate will be conside… | |||
| CVE-2026-2733 | unknown | — | — | 4mo ago | Keycloak: Missing Check on Disabled Client for Docker Registry Protocol | |||
| CVE-2026-26318 | unknown | — | — | 4mo ago | systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixe… | |||
| CVE-2026-26280 | unknown | — | — | 4mo ago | systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arb… | |||
| CVE-2026-24708 | unknown | — | — | 4mo ago | An issue was discovered in OpenStack Nova before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, a user ma… | |||
| CVE-2026-27099 | unknown | — | — | 4mo ago | Jenkins has a stored XSS vulnerability in node offline cause description | |||
| CVE-2026-27100 | unknown | — | — | 4mo ago | Jenkins has a build information disclosure vulnerability through Run Parameter | |||
| CVE-2026-24733 | unknown | — | — | 4mo ago | Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny… | |||
| CVE-2026-24734 | unknown | — | — | 4mo ago | Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verific… | |||
| CVE-2026-25087 | unknown | — | — | 4mo ago | Use After Free vulnerability in Apache Arrow C++. This issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. It can be triggered when reading an Arrow IPC file (but not an IPC stream) with pre-… | |||
| CVE-2026-25903 | unknown | — | — | 4mo ago | Apache NiFi: Missing Authorization of Restricted Permissions for Component Updates | |||
| CVE-2026-26000 | unknown | — | — | 4mo ago | XWiki vulnerable to click-jacking through CSS injection in comments | |||
| CVE-2026-26010 | unknown | — | — | 4mo ago | Leaky JWTs in OpenMetadata exposing highly-privileged bot users | |||
| CVE-2026-23906 | unknown | — | — | 4mo ago | Apache Druid Vulnerable to Authentication Bypass | |||
| CVE-2026-23901 | unknown | — | — | 4mo ago | Apache Shiro Affected by an Observable Timing Discrepancy Vulnerability | |||
| CVE-2026-25934 | unknown | — | — | 4mo ago | go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not … | |||
| CVE-2026-1529 | unknown | — | — | 4mo ago | Keycloak affected by improper invitation token validation | |||
| CVE-2026-1486 | unknown | — | — | 4mo ago | Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens | |||
| CVE-2026-23903 | unknown | — | — | 4mo ago | Apache Shiro has an Authentication Bypass | |||
| CVE-2026-22922 | unknown | — | — | 4mo ago | Apache Airflow Has an Authorization Bypass That Allows Unauthorized Task Log Access | |||
| CVE-2026-1337 | unknown | — | — | 4mo ago | Neo4j Enterprise and Community editions have insufficient escaping of unicode characters in query log | |||
| CVE-2026-1622 | unknown | — | — | 4mo ago | Neo4j Enterprise and Community vulnerable to a potential information disclosure | |||
| CVE-2026-1341 | unknown | — | — | 4mo ago | Avation Light Engine Pro exposes its configuration and control interface without any authentication or access control. | |||
| CVE-2026-23794 | unknown | — | — | 4mo ago | Apache Syncope: Reflected XSS on Enduser Login | |||
| CVE-2026-23795 | unknown | — | — | 4mo ago | Apache Syncope: Console XXE on Keymaster parameters | |||
| CVE-2026-25526 | unknown | — | — | 4mo ago | JinJava Bypass through ForTag leads to Arbitrary Java Execution | |||
| CVE-2026-1312 | unknown | — | — | 4mo ago | Django has an SQL Injection issue | |||
| CVE-2026-1287 | unknown | — | — | 4mo ago | Django has an SQL Injection issue | |||
| CVE-2026-1207 | unknown | — | — | 4mo ago | Django has an SQL Injection issue | |||
| CVE-2026-1285 | unknown | — | — | 4mo ago | Django has Inefficient Algorithmic Complexity | |||
| CVE-2026-24051 | unknown | — | — | 4mo ago | OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The re… | |||
| CVE-2026-1770 | unknown | — | — | 4mo ago | Crafter CMS has Improper Control of Dynamically-Managed Code Resources | |||
| CVE-2026-1703 | unknown | — | — | 4mo ago | When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation dir… | |||
| CVE-2026-1518 | unknown | — | — | 4mo ago | Keycloak Server-Side Request Forgery (SSRF) vulnerability |