CVEs from 2026
Total
14,776
critical
critical 1,334
high
high 5,000
medium
medium 4,821
low
low 502
% Critical
9.0%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 723
- firepower_threat_defense_software 310
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-47760 | high | 8.7 | 8.7 | 9d ago | TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs | |||
| CVE-2026-42197 | high | 8.7 | 8.7 | 10d ago | RELATE is a web-based courseware package. Versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 have a stored cross-site scripting vulnerability that allows any enrolled student to execut… | |||
| CVE-2026-44669 | high | 8.7 | 8.7 | 11d ago | FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in assessment file preview f… | |||
| CVE-2026-44667 | high | 8.7 | 8.7 | 11d ago | FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in remediation verification … | |||
| CVE-2026-44729 | high | 8.7 | 8.7 | 11d ago | Twenty is an open source CRM. In 1.18.0 and earlier, the file serving endpoints in Twenty CRM at /files/* and /file/:fileFolder/:id serve uploaded files using fileStream.pipe(res) without setting any… | |||
| CVE-2026-28445 | high | 8.7 | 8.7 | 15d ago | Typebot has Stored XSS via Rating Block Custom Icon that Bypasses isUnsafe Sandbox in Builder Preview | |||
| CVE-2026-40165 | high | 8.7 | 8.7 | 17d ago | authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 were vulnerable to Authentication Bypass through SAML NameID XML Comment Inject… | |||
| CVE-2026-34241 | high | 8.7 | 8.7 | 18d ago | CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability in the ticket reply notification system. Unsanitize… | |||
| CVE-2026-27173 | high | 8.7 | 8.7 | 18d ago | Apache Airflow CNCF Kubernetes provider: JWT Token Exposure in KubernetesExecutor Command-Line Arguments | |||
| CVE-2026-6346 | high | 8.7 | 8.7 | 19d ago | Mattermost doesn't sanitize sensitive configuration fields before including them in support packet generation | |||
| CVE-2026-45315 | high | 8.7 | 8.7 | 22d ago | Open WebUI has stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions | |||
| CVE-2026-44549 | high | 8.7 | 8.7 | 22d ago | Open WebUI has stored XSS in Excel file preview | |||
| CVE-2026-41147 | high | 8.7 | 8.7 | 22d ago | NukeViet CMS: Stored Cross-Site Scripting (XSS) via insufficient server-side input sanitization in Request class | |||
| CVE-2026-45348 | high | 8.7 | 8.7 | 23d ago | pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates … | |||
| CVE-2026-33583 | high | 8.7 | 8.7 | 24d ago | Exposure of the QKEY (used as input into the ‘OTA-Quantum’ device registration process) and internal system keys via an unauthenticated and unencrypted HTTP GET method in the Arqit Symmetric Key Ag… | |||
| CVE-2026-44295 | high | 8.7 | 8.7 | 24d ago | protobuf.js: Code injection in pbjs static output from crafted schema names | |||
| CVE-2026-42930 | high | 8.7 | 8.7 | 24d ago | When running in Appliance mode, an authenticated attacker assigned the 'Administrator' role may be able to bypass Appliance mode restrictions on a BIG-IP system. Note: Software versions which have … | |||
| CVE-2026-42924 | high | 8.7 | 8.7 | 24d ago | An authenticated attacker with the Resource Administrator or Administrator role can create SNMP configuration objects through iControl SOAP resulting in privilege escalation. Note: Software versions… | |||
| CVE-2026-42406 | high | 8.7 | 8.7 | 24d ago | A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running ar… | |||
| CVE-2026-41953 | high | 8.7 | 8.7 | 24d ago | A vulnerability exists in BIG-IP systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can modify configuration objects resulting in privilege escala… | |||
| CVE-2026-40698 | high | 8.7 | 8.7 | 24d ago | A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can create SNMP configuration objects through iCont… | |||
| CVE-2026-40631 | high | 8.7 | 8.7 | 24d ago | An authenticated attacker with the Resource Administrator or Administrator role can modify configuration objects through iControl SOAP resulting in privilege escalation. Note: Software versions whic… | |||
| CVE-2026-40061 | high | 8.7 | 8.7 | 24d ago | When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with the Resource Administrator or… | |||
| CVE-2026-34176 | high | 8.7 | 8.7 | 24d ago | When running in Appliance mode, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a securit… | |||
| CVE-2026-32673 | high | 8.7 | 8.7 | 24d ago | A vulnerability exists in BIG-IP scripted monitors that may allow an authenticated attacker with the Resource Administrator or Administrator role to execute arbitrary system commands with higher priv… | |||
| CVE-2026-32643 | high | 8.7 | 8.7 | 24d ago | A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running ar… | |||
| CVE-2026-34686 | high | 8.7 | 8.7 | 25d ago | Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-pr… | |||
| CVE-2026-34653 | high | 8.7 | 8.7 | 25d ago | Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') … | |||
| CVE-2026-45392 | high | 8.7 | 8.7 | 26d ago | DOM-based cross-site scripting (XSS) in Cribl Stream before 4.17.1 allows a remote attacker to execute arbitrary JavaScript in the browser of an authenticated user who is tricked into visiting a craf… | |||
| CVE-2026-43912 | high | 8.7 | 8.7 | 26d ago | Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groups_users.users_organizations_uuid entry belongs to the same organization as grou… | |||
| CVE-2026-43888 | high | 8.7 | 8.7 | 26d ago | Outline is a service that allows for collaborative documentation. Prior to 1.7.0, ZipHelper.extract computes the extraction path for each entry by passing a full filesystem path through trimFileAndEx… | |||
| CVE-2026-44543 | high | 8.7 | 8.7 | 26d ago | Local Path Provisioner provides a way for the Kubernetes users to utilize the local storage in each node. Prior to 0.0.36, a malicious user with permission to edit the local-path-config ConfigMap in … | |||
| CVE-2026-44552 | high | 8.7 | 8.7 | 29d ago | Open WebUI: Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning | |||
| CVE-2026-41524 | high | 8.7 | 8.7 | 29d ago | Brave CMS is an open-source CMS. Prior to commit 6c56603, page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and subsequently rendered with… | |||
| CVE-2026-42275 | high | 8.7 | 8.7 | 29d ago | zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write | |||
| CVE-2026-6973 | high | 7.2 | 8.7 | 1mo ago | Ivanti Endpoint Manager Mobile (EPMM) contains an improper input validation vulnerability that allows a remotely authenticated user with administrative access to achieve remote code execution. | |||
| CVE-2026-41505 | high | 8.7 | 8.7 | 1mo ago | RELATE is a web-based courseware package. Prior to commit 2f68e16, RELATE is vulnerable to predictable token generation in auth.py's make_sign_in_key() function and exam.py's gen_ticket_code() functi… | |||
| CVE-2026-36355 | high | 7.7 | 8.7 | 1mo ago | The rtl8192cd Wi-Fi kernel driver in the Realtek rtl819x Jungle SDK (all known versions through v3.4.14B) does not perform any access control checks on the write_mem (ioctl 0x89F5) and read_mem (ioct… | |||
| CVE-2026-35228 | high | 8.7 | 8.7 | 1mo ago | Vulnerability in the Oracle MCP Server Helper Tool product of Oracle Open Source Projects (component: helper tool). The supported versions that is affected is 1.0.1-1.0.156. Easily exploitable vulner… | |||
| CVE-2026-33317 | high | 8.7 | 8.7 | 1mo ago | OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. In versions 3.13.0 through 4.10.0, mi… | |||
| CVE-2026-35569 | high | 8.7 | 8.7 | 2mo ago | Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS | |||
| CVE-2026-27928 | high | 8.7 | 8.7 | 2mo ago | Improper input validation in Windows Hello allows an unauthorized attacker to bypass a security feature over a network. | |||
| CVE-2026-30587 | high | 8.7 | 8.7 | 2mo ago | Seafile Server has multiple stored XSS vulnerabilities | |||
| CVE-2026-11158 | high | 8.6 | 8.6 | 2d ago | <p>This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.</p> | |||
| CVE-2026-49202 | high | 8.6 | 8.6 | 2d ago | Internal multimedia session archives are accessible without authentication, exacerbated by loose Cross-Origin Resource Sharing (CORS) rules that allow cross-site theft. | |||
| CVE-2026-46273 | high | 8.6 | 8.6 | 3d ago | In the Linux kernel, the following vulnerability has been resolved: ibmveth: Disable GSO for packets with small MSS Some physical adapters on Power systems do not support segmentation offload when … | |||
| CVE-2026-20230 | high | 8.6 | 8.6 | 3d ago | A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attack… | |||
| CVE-2026-37232 | high | 8.6 | 8.6 | 5d ago | An issue was discovered in OpenAirInterface5G 2.4.0 (nr-softmodem) in the E2SM-KPM RAN Function's PRB utilization metric calculation. The functions fill_RRU_PrbTotDl() and fill_RRU_PrbTotUl() in open… | |||
| CVE-2026-49127 | high | 8.6 | 8.6 | 9d ago | Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt st… | |||
| CVE-2026-44466 | high | 8.6 | 8.6 | 9d ago | Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash arithmetic expansion $((...)), allowing execution of arbitrary commands nested inside an allowli… | |||
| CVE-2026-44465 | high | 8.6 | 8.6 | 9d ago | Zed is a code editor. Prior to 0.227.1, Zed IDE executes arbitrary commands when opening a folder with a malicious .git/config file that abuses the core.fsmonitor Git configuration option. This allow… | |||
| CVE-2026-44461 | high | 8.6 | 8.6 | 9d ago | Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable keys are inserted without shell quoting or… | |||
| CVE-2026-7862 | high | 8.6 | 8.6 | 9d ago | The Eupago Gateway For Woocommerce WordPress plugin before 4.7.2 does not properly restrict access to its refund request handler, allowing unauthenticated attackers to initiate refunds against any Wo… | |||
| CVE-2026-42737 | high | 8.6 | 8.6 | 10d ago | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Path Traversal.This issue affects VikB… | |||
| CVE-2026-8958 | high | 8.6 | 8.6 | 11d ago | Important: thunderbird security update | |||
| CVE-2026-45298 | high | 8.6 | 8.6 | 11d ago | Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, in a default dozzle deploy (the documented quickstart, no DOZZLE_AUTH_PROVIDER set), POST /api/notifications/test-webhook is re… | |||
| CVE-2026-44680 | high | 7.6 | 8.6 | 11d ago | MikroORM has SQL injection via runtime-controlled identifiers and JSON-path keys | |||
| CVE-2026-5843 | high | 8.6 | 8.6 | 15d ago | The MLX inference backend in Docker Model Runner on macOS uses the MLX-LM library, which unconditionally imports and executes arbitrary Python files from model directories via the model_file configur… | |||
| CVE-2026-5817 | high | 8.6 | 8.6 | 15d ago | The vllm-metal inference backend in Docker Model Runner on macOS unconditionally sets trust_remote_code=True when loading model tokenizers, and runs without sandboxing. This causes transformers.AutoT… | |||
| CVE-2026-42000 | high | 8.6 | 8.6 | 16d ago | Insufficient Validation of Names During AXFR | |||
| CVE-2026-39310 | high | 8.6 | 8.6 | 17d ago | Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Clipper API in Trilium Desktop (v0.101.3… | |||
| CVE-2026-47358 | high | 8.6 | 8.6 | 18d ago | Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via external URL resolution in uploaded IaC templates when running in server mode. When Terrascan parses uploaded ARM … | |||
| CVE-2026-47357 | high | 8.6 | 8.6 | 18d ago | Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the remote_url parameter in the remote directory scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/sca… | |||
| CVE-2026-47356 | high | 8.6 | 8.6 | 18d ago | Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the webhook_url parameter in the file scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/local/file/scan) when run… | |||
| CVE-2026-6379 | high | 8.6 | 8.6 | 19d ago | The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection at… | |||
| CVE-2026-2652 | high | 8.6 | 8.6 | 22d ago | MLflow: unauthenticated access to certain FastAPI routes | |||
| CVE-2026-20224 | high | 8.6 | 8.6 | 23d ago | A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to read arbitrary files that are stored in an affected system.… | |||
| CVE-2026-42595 | high | 8.6 | 8.6 | 23d ago | Gotenberg: Server-Side Request Forgery via Chromium URL Endpoint with Redirect-Based Deny-List Bypass | |||
| CVE-2026-42281 | high | 8.6 | 8.6 | 23d ago | MagicMirror vulnerable to unauthenticated SSRF via /cors endpoint | |||
| CVE-2026-29205 | high | 8.6 | 8.6 | 24d ago | Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints. | |||
| CVE-2026-44578 | high | 8.6 | 8.6 | 24d ago | Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades | |||
| CVE-2026-44001 | high | 8.6 | 8.6 | 24d ago | vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS) | |||
| CVE-2026-44697 | high | 8.6 | 8.6 | 25d ago | Klever-Go is the Go implementation of the Klever blockchain protocol. Prior to 1.7.17, a remote, unauthenticated denial-of-service vulnerability in Batch.Decompress (data/batch/batch.go) allows any p… | |||
| CVE-2026-33362 | high | 8.6 | 8.6 | 26d ago | In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps <= 1.8.x (latest observed), multiple security-critical secrets are hardcoded an… | |||
| CVE-2026-41705 | high | 8.6 | 8.6 | 29d ago | Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs | |||
| CVE-2026-42352 | high | 8.6 | 8.6 | 29d ago | pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processes Subscriber | |||
| CVE-2026-29201 | high | 8.6 | 8.6 | 29d ago | Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed. | |||
| CVE-2026-41690 | high | 8.6 | 8.6 | 29d ago | i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters | |||
| CVE-2026-41683 | high | 8.6 | 8.6 | 29d ago | i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header | |||
| CVE-2026-44339 | high | 8.6 | 8.6 | 29d ago | PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute | |||
| CVE-2026-4935 | high | 8.6 | 8.6 | 29d ago | The OttoKit: All-in-One Automation Platform WordPress plugin before 1.1.23 does not properly sanitize user input before using it in a SQL statement, which could allow unauthenticated attackers to per… | |||
| CVE-2026-35435 | high | 8.6 | 8.6 | 1mo ago | Improper access control in Azure AI Foundry M365 published agents allows an unauthorized attacker to elevate privileges over a network. | |||
| CVE-2026-42047 | high | 8.6 | 8.6 | 1mo ago | Inngest TypeScript SDK exposes environment variables via serve() handler on unhandled HTTP methods | |||
| CVE-2026-44116 | high | 8.6 | 8.6 | 1mo ago | OpenClaw validates Zalo outbound photo URLs through the SSRF guard | |||
| CVE-2026-43139 | high | 8.6 | 8.6 | 1mo ago | In the Linux kernel, the following vulnerability has been resolved: xfrm6: fix uninitialized saddr in xfrm6_get_saddr() xfrm6_get_saddr() does not check the return value of ipv6_dev_get_saddr(). Wh… | |||
| CVE-2026-7412 | high | 8.6 | 8.6 | 1mo ago | Eclipse BaSyx Java Server SDK vulnerable to Server-Side Request Forgery | |||
| CVE-2026-43533 | high | 8.6 | 8.6 | 1mo ago | OpenClaw: QQBot media tags could read arbitrary local files through reply text | |||
| CVE-2026-42079 | high | 8.6 | 8.6 | 1mo ago | PPTAgent: Arbitrary Code Execution via Python eval() of LLM-Generated Code with Builtins in Scope | |||
| CVE-2026-42469 | high | 8.6 | 8.6 | 1mo ago | Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) 3.3.005. In canformat_canswitch.cpp the parser does not properly validate a CANswitch DLC value, allowing remote attackers to… | |||
| CVE-2026-24222 | high | 8.6 | 8.6 | 1mo ago | NVIDIA NeMoClaw contains a vulnerability in the sandbox environment initialization component, where a remote attacker could cause improper access control by sending prompt-injected content that cause… | |||
| CVE-2026-40967 | high | 8.6 | 8.6 | 1mo ago | Spring AI has a VectorStore FilterExpression Converter injection | |||
| CVE-2026-31611 | high | 8.6 | 8.6 | 1mo ago | In the Linux kernel, the following vulnerability has been resolved: ksmbd: require 3 sub-authorities before reading sub_auth[2] parse_dacl() compares each ACE SID against sid_unix_NFS_mode and on m… | |||
| CVE-2026-5367 | high | 8.6 | 8.6 | 1mo ago | A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could ca… | |||
| CVE-2026-26150 | high | 8.6 | 8.6 | 1mo ago | Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network. | |||
| CVE-2026-33805 | high | 8.6 | 8.6 | 2mo ago | @fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This al… | |||
| CVE-2026-4931 | high | 8.6 | 8.6 | 2mo ago | Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost. | |||
| CVE-2026-5577 | high | 8.6 | 8.6 | 2mo ago | A vulnerability has been found in Song-Li cross_browser up to ca690f0fe6954fd9bcda36d071b68ed8682a786a. This affects an unknown part of the file flask/uniquemachine_app.py of the component details En… | |||
| CVE-2026-23457 | high | 8.6 | 8.6 | 2mo ago | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() sip_help_tcp() parses the SIP Content-Length hea… | |||
| CVE-2026-32173 | high | 8.6 | 8.6 | 2mo ago | Improper authentication in Azure SRE Agent allows an unauthorized attacker to disclose information over a network. | |||
| CVE-2026-22742 | high | 8.6 | 8.6 | 2mo ago | Spring AI: Insufficient Validation causes SSRF when processing multimodal messages with user-supplied URLs |