CVEs from 2026
Total
14,792
critical
critical 1,335
high
high 5,008
medium
medium 4,832
low
low 503
% Critical
9.0%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 723
- firepower_threat_defense_software 310
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-38569 | medium | 5.4 | 5.4 | 27d ago | HireFlow v1.2 is vulnerable to Cross Site Scripting (XSS) in candidate_detail.html via the Resume or Feedback Comment fields via POST /candidates/add or POST /feedback/add. | |||
| CVE-2026-28819 | medium | 5.4 | 5.4 | 27d ago | An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may … | |||
| CVE-2026-44831 | medium | 5.4 | 5.4 | 29d ago | Snipe-IT has Stored XSS via Component Checkout Notes (v8.4.0) | |||
| CVE-2026-42192 | medium | 5.4 | 5.4 | 29d ago | Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (XSS) vulnerability exists in the campaign management feature, where the email bo… | |||
| CVE-2026-41487 | medium | 5.4 | 5.4 | 1mo ago | Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An a… | |||
| CVE-2026-42877 | medium | 5.4 | 5.4 | 1mo ago | FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting (XSS) vulnerability exists in the product search modal of sales (Core/Lib/Aja… | |||
| CVE-2026-41903 | medium | 5.4 | 5.4 | 1mo ago | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user holding the PERM_EDIT_USERS permission (intended for general user-profile editing) … | |||
| CVE-2026-36341 | medium | 5.4 | 5.4 | 1mo ago | Webkul Krayin CRM is Vulnerable to Cross-Site Scripting in the /admin/activities/create endpoint | |||
| CVE-2026-36388 | medium | 5.4 | 5.4 | 1mo ago | A Cross-Site Scripting (XSS) vulnerability was found in PHPGurukal Hospital Management System v4.0 in the /hospital/hms/edit-profile.php page. This flaw allows an authenticated attacker (patient) to … | |||
| CVE-2026-8080 | medium | 5.4 | 5.4 | 1mo ago | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS. This issue affects MISP before 2.5.37. A stored cross-si… | |||
| CVE-2026-8019 | medium | 5.4 | 5.4 | 1mo ago | Insufficient policy enforcement in WebApp in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | |||
| CVE-2026-8015 | medium | 5.4 | 5.4 | 1mo ago | Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | |||
| CVE-2026-8012 | medium | 5.4 | 5.4 | 1mo ago | Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a craft… | |||
| CVE-2026-8008 | medium | 5.4 | 5.4 | 1mo ago | Inappropriate implementation in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome … | |||
| CVE-2026-8006 | medium | 5.4 | 5.4 | 1mo ago | Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chro… | |||
| CVE-2026-8003 | medium | 5.4 | 5.4 | 1mo ago | Insufficient validation of untrusted input in TabGroups in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via malicious network traffic. (Chromium security seve… | |||
| CVE-2026-7998 | medium | 5.4 | 5.4 | 1mo ago | Insufficient validation of untrusted input in Dialog in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HT… | |||
| CVE-2026-7962 | medium | 5.4 | 5.4 | 1mo ago | Insufficient policy enforcement in DirectSockets in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform arbitrary read/write via a crafted Chrome Extension. (Chromium security s… | |||
| CVE-2026-7958 | medium | 5.4 | 5.4 | 1mo ago | Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML (UX… | |||
| CVE-2026-7950 | medium | 5.4 | 5.4 | 1mo ago | Out of bounds read and write in GFX in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform arbitrary read/write via malicious network traffic. (Chromium security severity: Mediu… | |||
| CVE-2026-7939 | medium | 5.4 | 5.4 | 1mo ago | Inappropriate implementation in SanitizerAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security s… | |||
| CVE-2026-7935 | medium | 5.4 | 5.4 | 1mo ago | Inappropriate implementation in Speech in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | |||
| CVE-2026-7931 | medium | 5.4 | 5.4 | 1mo ago | Insufficient validation of untrusted input in iOS in Google Chrome on iOS prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity:… | |||
| CVE-2026-20219 | medium | 5.4 | 5.4 | 1mo ago | A vulnerability in the REST API of Cisco Slido could have allowed an authenticated, remote attacker to access the social profile data of other users or affect quiz and poll results. Cisco has address… | |||
| CVE-2026-36358 | medium | 5.4 | 5.4 | 1mo ago | Cross Site Scripting vulnerability in Juzaweb CMS v.5.0.0 allows a remote attacker via execute arbitrary code via a crafted script to the Add Banner Ads function | |||
| CVE-2026-43879 | medium | 5.4 | 5.4 | 1mo ago | AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass | |||
| CVE-2026-42612 | medium | 5.4 | 5.4 | 1mo ago | Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes | |||
| CVE-2026-42842 | medium | 5.4 | 5.4 | 1mo ago | Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel | |||
| CVE-2026-31835 | medium | 5.4 | 5.4 | 1mo ago | Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the WebAuthn authentication flow in `validate_webauthn_login()` updates persistent credential metadata (1… | |||
| CVE-2026-43877 | medium | 5.4 | 5.4 | 1mo ago | AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Authenticated Users' Profile Photos with Arbitrary Content | |||
| CVE-2026-27694 | medium | 5.4 | 5.4 | 1mo ago | Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver n… | |||
| CVE-2026-27693 | medium | 5.4 | 5.4 | 1mo ago | Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper … | |||
| CVE-2026-7631 | medium | 5.4 | 5.4 | 1mo ago | A vulnerability was found in code-projects Online Hospital Management System 1.0. The impacted element is an unknown function of the component Registration Handler. The manipulation of the argument U… | |||
| CVE-2026-4790 | medium | 5.4 | 5.4 | 1mo ago | The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_svg' parameter in versions up to, and inclu… | |||
| CVE-2026-5077 | medium | 5.4 | 5.4 | 1mo ago | The Total theme for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in versions up to, and including, 2.2.1 due to insufficient output escaping when rendering the_title() insid… | |||
| CVE-2026-6446 | medium | 5.4 | 5.4 | 1mo ago | The My Social Feeds – Social Feeds Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 1.0.4 via the 'ttp_get_accounts' AJAX action. This… | |||
| CVE-2026-40201 | medium | 5.4 | 5.4 | 1mo ago | @diplodoc/search-extension allows stored XSS via Markdown file title | |||
| CVE-2026-7502 | medium | 5.4 | 5.4 | 1mo ago | A security vulnerability has been detected in LinkStackOrg LinkStack up to 4.8.6. The affected element is the function saveLink of the file app/Http/Controllers/UserController.php of the component Ma… | |||
| CVE-2026-36766 | medium | 5.4 | 5.4 | 1mo ago | Shopizer is vulnerable to Cross-site Scripting | |||
| CVE-2026-41519 | medium | 5.4 | 5.4 | 1mo ago | Weblate Doesn't Invalidate API Token on Password Change | |||
| CVE-2026-36756 | medium | 5.4 | 5.4 | 1mo ago | A Server-Side Request Forgery (SSRF) in the /plugins/-/install-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request. | |||
| CVE-2026-7500 | medium | 5.4 | 5.4 | 1mo ago | Keycloak has a Forced Browsing issue | |||
| CVE-2026-1493 | medium | 5.4 | 5.4 | 1mo ago | LEX Baza Dokumentów is vulnerable to DOM-based XSS in "em" cookie parameter. The application unsafely processes the parameter on the client side, allowing an attacker to execute arbitrary JavaScript … | |||
| CVE-2026-40230 | medium | 5.4 | 5.4 | 1mo ago | Helpy contains a stored cross-site scripting vulnerability in the knowledge base Doc rendering logic. An authenticated attacker with admin or agent editor privileges can persist arbitrary HTML or Jav… | |||
| CVE-2026-40229 | medium | 5.4 | 5.4 | 1mo ago | Helpy contains a stored cross-site scripting vulnerability in the post author display logic. Any registered user can persist arbitrary HTML in their account name field and cause it to be rendered une… | |||
| CVE-2026-42641 | medium | 5.4 | 5.4 | 1mo ago | Server-Side Request Forgery (SSRF) vulnerability in ILLID Share This Image share-this-image allows Server Side Request Forgery.This issue affects Share This Image: from n/a through <= 2.14. | |||
| CVE-2026-40296 | medium | 5.4 | 5.4 | 1mo ago | PhpSpreadsheet has XSS via number format code with @ text placeholder bypasses htmlspecialchars in HTML writer | |||
| CVE-2026-35453 | medium | 5.4 | 5.4 | 1mo ago | PhpSpreadsheet has XSS via NumberFormat @ Text Substitution in HTML Writer | |||
| CVE-2026-42421 | medium | 5.4 | 5.4 | 1mo ago | OpenClaw: Existing WS sessions survive shared gateway token rotation | |||
| CVE-2026-41916 | medium | 5.4 | 5.4 | 1mo ago | OpenClaw: resolvedAuth closure becomes stale after config reload | |||
| CVE-2026-41406 | medium | 5.4 | 5.4 | 1mo ago | OpenClaw: Feishu thread history and quoted messages bypass sender allowlist | |||
| CVE-2026-41402 | medium | 5.4 | 5.4 | 1mo ago | OpenClaw: Zalo webhook replay cache cross-target messageId scope bypass | |||
| CVE-2026-41382 | medium | 5.4 | 5.4 | 1mo ago | OpenClaw: Discord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps | |||
| CVE-2026-41381 | medium | 5.4 | 5.4 | 1mo ago | OpenClaw: Discord voice manager bypasses channel-level member access allowlist | |||
| CVE-2026-38948 | medium | 5.4 | 5.4 | 1mo ago | Cross-Site Scripting (XSS) vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-priv… | |||
| CVE-2026-5306 | medium | 5.4 | 5.4 | 1mo ago | The Check & Log Email WordPress plugin before 2.0.13 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks when the email encoder setting … | |||
| CVE-2026-41365 | medium | 5.4 | 5.4 | 1mo ago | OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API | |||
| CVE-2026-5362 | medium | 5.4 | 5.4 | 1mo ago | Pimcore has an authenticated Cross-site Scripting issue | |||
| CVE-2026-7024 | medium | 5.4 | 5.4 | 1mo ago | A flaw has been found in rawchen sims up to 004f783b1db5ecdfad81c8fdc3b34171211112de. Affected by this issue is some unknown functionality of the file sims-master/src/web/servlet/file/DeleteFileServl… | |||
| CVE-2026-41425 | medium | 5.4 | 5.4 | 1mo ago | Authlib: Cross-site request forging when using cache | |||
| CVE-2026-42042 | medium | 5.4 | 5.4 | 1mo ago | Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion | |||
| CVE-2026-25720 | medium | 5.4 | 5.4 | 1mo ago | A vulnerability exists in SenseLive X3050’s web management interface due to improper session lifetime enforcement, allowing authenticated sessions to remain active for extended periods without requi… | |||
| CVE-2026-41358 | medium | 5.4 | 5.4 | 1mo ago | OpenClaw: Slack thread context could include messages from non-allowlisted senders | |||
| CVE-2026-41356 | medium | 5.4 | 5.4 | 1mo ago | OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation | |||
| CVE-2026-41348 | medium | 5.4 | 5.4 | 1mo ago | OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist | |||
| CVE-2026-41341 | medium | 5.4 | 5.4 | 1mo ago | OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message | |||
| CVE-2026-41241 | medium | 5.4 | 5.4 | 1mo ago | pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown… | |||
| CVE-2026-41909 | medium | 5.4 | 5.4 | 2mo ago | OpenClaw before 2026.4.20 contains an improper authorization vulnerability in paired-device pairing management that allows limited-scope sessions to enumerate and act on pairing requests. Attackers w… | |||
| CVE-2026-3007 | medium | 5.4 | 5.4 | 2mo ago | Successful exploitation of the stored cross-site scripting (XSS) vulnerability could allow an attacker to execute arbitrary JavaScript on any user account that has access to Koollab LMS’ courselet fe… | |||
| CVE-2026-41243 | medium | 5.4 | 5.4 | 2mo ago | OpenLearn is open-source educational forum software. Prior to commit 844b2a40a69d0c4911580fe501923f0b391313ab, when `safeMode` is enabled, unapproved forum posts are hidden from the public list, but … | |||
| CVE-2026-3837 | medium | 5.4 | 5.4 | 2mo ago | An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter i… | |||
| CVE-2026-3673 | medium | 5.4 | 5.4 | 2mo ago | An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript execution when a victim opens the list/report view where tags are rendered. The vulnerable renderer interp… | |||
| CVE-2026-40923 | medium | 5.4 | 5.4 | 2mo ago | Tekton Pipelines: VolumeMount path restriction bypass via missing filepath.Clean in /tekton/ check | |||
| CVE-2026-0972 | medium | 5.4 | 5.4 | 2mo ago | HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to 7.10.0. Note: The title, details, and description of this CVE were corrected post-publishing. | |||
| CVE-2026-34429 | medium | 5.4 | 5.4 | 2mo ago | Vvveb prior to 1.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript by bypassing MIME … | |||
| CVE-2026-6585 | medium | 5.4 | 5.4 | 2mo ago | A vulnerability was determined in TransformerOptimus SuperAGI up to 0.0.14. This issue affects the function update_organisation of the file superagi/controllers/organisation.py of the component Organ… | |||
| CVE-2026-6584 | medium | 5.4 | 5.4 | 2mo ago | A vulnerability was found in TransformerOptimus SuperAGI up to 0.0.14. This vulnerability affects the function update_user of the file superagi/controllers/user.py of the component User Update Endpoi… | |||
| CVE-2026-6583 | medium | 5.4 | 5.4 | 2mo ago | A vulnerability has been found in TransformerOptimus SuperAGI up to 0.0.14. This affects the function delete_api_key/edit_api_key of the file superagi/controllers/api_key.py of the component API Key … | |||
| CVE-2026-40948 | medium | 5.4 | 5.4 | 2mo ago | The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state` parameter on the login / login-callback flow, and did not use PKCE. An at… | |||
| CVE-2026-40479 | medium | 5.4 | 5.4 | 2mo ago | Kimai has Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget | |||
| CVE-2026-40155 | medium | 5.4 | 5.4 | 2mo ago | Auth0 Next.js SDK has Improper Proxy Cache Lookup | |||
| CVE-2026-6496 | medium | 5.4 | 5.4 | 2mo ago | A vulnerability was found in prasathmani TinyFileManager up to 2.6. Affected is an unknown function of the file /filemanager.php of the component POST Parameter Handler. The manipulation of the argum… | |||
| CVE-2026-26291 | medium | 5.4 | 5.4 | 2mo ago | Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If this vulnerability is exploited, an arbitrary script may be executed in a user's web browser. | |||
| CVE-2026-22154 | medium | 5.4 | 5.4 | 2mo ago | An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR Paa… | |||
| CVE-2026-24069 | medium | 5.4 | 5.4 | 2mo ago | Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-pr… | |||
| CVE-2026-6201 | medium | 5.4 | 5.4 | 2mo ago | A vulnerability was identified in CodeAstro Online Job Portal 1.0. The impacted element is an unknown function of the file /jobs/job-delete.php of the component Delete Job Posting Handler. Such manip… | |||
| CVE-2026-33119 | medium | 5.4 | 5.4 | 2mo ago | User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. | |||
| CVE-2026-5392 | medium | 5.4 | 5.4 | 2mo ago | Heap out-of-bounds read in PKCS7 parsing. A crafted PKCS7 message can trigger an OOB read on the heap. The missing bounds check is in the indefinite-length end-of-content verification loop in PKCS7_V… | |||
| CVE-2026-40071 | medium | 5.4 | 5.4 | 2mo ago | pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions | |||
| CVE-2026-5812 | medium | 5.4 | 5.4 | 2mo ago | A security flaw has been discovered in SourceCodester Pharmacy Product Management System 1.0. This affects an unknown part of the file add-sales.php of the component POST Parameter Handler. Performin… | |||
| CVE-2026-5811 | medium | 5.4 | 5.4 | 2mo ago | A vulnerability was identified in SourceCodester Online Food Ordering System 1.0. Affected by this issue is the function save_product of the file /Actions.php of the component POST Parameter Handler.… | |||
| CVE-2026-39635 | medium | 5.4 | 5.4 | 2mo ago | Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Magazine grandmagazine allows Cross Site Request Forgery.This issue affects Grand Magazine: from n/a through <= 3.5.5. | |||
| CVE-2026-39614 | medium | 5.4 | 5.4 | 2mo ago | Missing Authorization vulnerability in ilGhera JW Player for WordPress jw-player-7-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JW Player for Word… | |||
| CVE-2026-39504 | medium | 5.4 | 5.4 | 2mo ago | Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InstaWP Connect: from n/a thr… | |||
| CVE-2026-5535 | medium | 5.4 | 5.4 | 2mo ago | A security flaw has been discovered in FedML-AI FedML up to 0.8.9. This impacts an unknown function of the file FileUtils.java of the component MQTT Message Handler. Performing a manipulation of the … | |||
| CVE-2026-5468 | medium | 5.4 | 5.4 | 2mo ago | Casdoor vulnerable to Stored XSS via Application formCss / formSideHtml | |||
| CVE-2026-32859 | medium | 5.4 | 5.4 | 2mo ago | ByteDance DeerFlow versions prior to commit 5dbb362 contain a stored cross-site scripting vulnerability in the artifacts API that allows attackers to execute arbitrary scripts by uploading malicious … | |||
| CVE-2026-33559 | medium | 5.4 | 5.4 | 2mo ago | WordPress Plugin "OpenStreetMap" provided by MiKa contains a cross-site scripting vulnerability. On the site with the affected version of the plugin enabled, a logged-in user with a page-creating/edi… | |||
| CVE-2026-32562 | medium | 5.4 | 5.4 | 2mo ago | Missing Authorization vulnerability in WP Folio Team PPWP password-protect-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PPWP: from n/a through <= 1.… | |||
| CVE-2026-32511 | medium | 5.4 | 5.4 | 2mo ago | Deserialization of Untrusted Data vulnerability in Mikado-Themes Stål stal allows Object Injection.This issue affects Stål: from n/a through < 1.7. |