CVEs from 2026
Total
14,792
critical
critical 1,335
high
high 5,008
medium
medium 4,832
low
low 503
% Critical
9.0%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 723
- firepower_threat_defense_software 310
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-46377 | high | — | 8.0 | 18d ago | Dasel: Index-out-of-range panic in dasel selector lexer on trailing backslash in quoted string | |||
| CVE-2026-45783 | high | — | 8.0 | 18d ago | @libp2p/kad-dht: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes | |||
| CVE-2026-45805 | high | — | 8.0 | 19d ago | PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint — RCE | |||
| CVE-2026-45799 | high | — | 8.0 | 19d ago | Wire: skipGroup() missing negative-length check allows 10-byte payload to crash any Wire-decoding service | |||
| CVE-2026-45738 | high | — | 8.0 | 19d ago | Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation | |||
| CVE-2026-45713 | high | — | 8.0 | 19d ago | Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes | |||
| CVE-2026-45576 | high | — | 8.0 | 19d ago | zrok copy writes attacker-controlled WebDAV paths outside the destination root | |||
| CVE-2026-46511 | high | — | 8.0 | 19d ago | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSetti… | |||
| CVE-2026-46396 | high | — | 8.0 | 19d ago | HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of `<iframe>` el… | |||
| CVE-2026-46391 | high | — | 8.0 | 19d ago | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis, multiple functions conduct substring-only matching … | |||
| CVE-2026-46393 | high | — | 8.0 | 19d ago | HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 26.0.0 allows authenticated users to fetch … | |||
| CVE-2026-20664 | high | — | 8.0 | 19d ago | The issue was addressed with improved memory handling. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously crafted web content may le… | |||
| CVE-2026-20665 | high | — | 8.0 | 19d ago | This issue was addressed through improved state management. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, wat… | |||
| CVE-2026-3085 | high | — | 8.0 | 19d ago | GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Int… | |||
| CVE-2026-3083 | high | — | 8.0 | 19d ago | GStreamer rtpqdm2depay Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interactio… | |||
| CVE-2026-20644 | high | — | 8.0 | 19d ago | The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. Processing maliciou… | |||
| CVE-2026-27137 | high | — | 8.0 | 19d ago | Incorrect enforcement of email constraints in crypto/x509 | |||
| CVE-2026-1502 | high | — | 8.0 | 19d ago | Important: python3.12 security update | |||
| CVE-2026-4519 | high | — | 8.0 | 19d ago | Important: python3.12 security update | |||
| CVE-2026-2297 | high | — | 8.0 | 19d ago | Important: python3.12 security update | |||
| CVE-2026-0672 | high | — | 8.0 | 19d ago | Important: python3.12 security update | |||
| CVE-2026-33983 | high | — | 8.0 | 19d ago | Important: freerdp security update | |||
| CVE-2026-2922 | high | — | 8.0 | 19d ago | Important: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-ugly-free security update | |||
| CVE-2026-3082 | high | — | 8.0 | 19d ago | RHSA-2026:6750: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good security update (Important) | |||
| CVE-2026-2920 | high | — | 8.0 | 19d ago | RHSA-2026:6750: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good security update (Important) | |||
| CVE-2026-2921 | high | — | 8.0 | 19d ago | RHSA-2026:6750: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good security update (Important) | |||
| CVE-2026-33984 | high | — | 8.0 | 19d ago | Important: freerdp security update | |||
| CVE-2026-2923 | high | — | 8.0 | 19d ago | RHSA-2026:6750: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good security update (Important) | |||
| CVE-2026-23745 | high | — | 8.0 | 19d ago | Important: linux-sgx security update | |||
| CVE-2026-23950 | high | — | 8.0 | 19d ago | Important: linux-sgx security update | |||
| CVE-2026-20652 | high | — | 8.0 | 19d ago | The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. A remote attacker m… | |||
| CVE-2026-28857 | high | — | 8.0 | 19d ago | The issue was addressed with improved memory handling. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously crafted web content may le… | |||
| CVE-2026-20691 | high | — | 8.0 | 19d ago | An authorization issue was addressed with improved state management. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4, watchOS 26.4. A maliciously crafted… | |||
| CVE-2026-20635 | high | — | 8.0 | 19d ago | The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, watchOS … | |||
| CVE-2026-20608 | high | — | 8.0 | 19d ago | This issue was addressed through improved state management. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. Processing mal… | |||
| CVE-2026-20676 | high | — | 8.0 | 19d ago | This issue was addressed through improved state management. This issue is fixed in Safari 26.3, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. A website may be able to track users through… | |||
| CVE-2026-28859 | high | — | 8.0 | 19d ago | The issue was addressed with improved memory handling. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. A malicious website may … | |||
| CVE-2026-20643 | high | — | 8.0 | 19d ago | A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS, iPadOS, and macOS, Safari 26.4, iOS 18.7.7 an… | |||
| CVE-2026-28871 | high | — | 8.0 | 19d ago | A logic issue was addressed with improved checks. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4. Visiting a maliciously crafted website … | |||
| CVE-2026-20636 | high | — | 8.0 | 19d ago | The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. Processing maliciously crafted web content may le… | |||
| CVE-2026-32281 | high | — | 8.0 | 19d ago | Inefficient policy validation in crypto/x509 | |||
| CVE-2026-33810 | high | — | 8.0 | 19d ago | When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affe… | |||
| CVE-2026-23060 | high | — | 8.0 | 19d ago | Important: kernel security update | |||
| CVE-2026-5713 | high | — | 8.0 | 19d ago | Important: python3.14 security update | |||
| CVE-2026-24842 | high | — | 8.0 | 19d ago | Important: linux-sgx security update | |||
| CVE-2026-46520 | high | — | 8.0 | 19d ago | ImageMagick: Heap Buffer Over-Write in IPL decoder when reading multiple images of different dimensions | |||
| CVE-2026-45367 | high | — | 8.0 | 19d ago | HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint | |||
| CVE-2026-42306 | high | — | 8.0 | 20d ago | Docker: Race condition in docker cp allows bind mount redirection to host path | |||
| CVE-2026-45727 | high | — | 8.0 | 20d ago | CloakBrowser is a tool to bypass bot detection tests. Prior to version 0.3.28, the cloakserve CDP multiplexer uses the user-supplied fingerprint query parameter directly as a filesystem path componen… | |||
| CVE-2026-45325 | high | — | 8.0 | 20d ago | @tmlmobilidade/utils has prototype pollution in its setValueAtPath | |||
| CVE-2026-46385 | high | — | 8.0 | 20d ago | iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, the Avro array and map decoders looped over an attacker-controlled block-count value without checking the underlying reader's error state ins… | |||
| CVE-2026-45270 | high | — | 8.0 | 20d ago | CI4MS: Stored XSS in Pages Module Content via Broken html_purify Validation Rule | |||
| CVE-2026-46384 | high | — | 8.0 | 20d ago | iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, several Avro decoder paths read attacker-controlled 64-bit values from the wire format and either narrowed them to platform-sized int before … | |||
| CVE-2026-45135 | high | — | 8.0 | 20d ago | Caddy: Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP Files | |||
| CVE-2026-33416 | high | — | 8.0 | 20d ago | Important: thunderbird security update | |||
| CVE-2026-45363 | high | — | 8.0 | 20d ago | ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351 | |||
| CVE-2026-46491 | high | — | 8.0 | 23d ago | SimpleSAMLphp casserver FileSystemTicketStore path traversal allows out-of-ticket-directory read/unserialize and conditional deletion | |||
| CVE-2026-44692 | high | — | 8.0 | 23d ago | Authenticated Sharp users can download unrelated Laravel Storage objects through the generic download endpoint | |||
| CVE-2026-45062 | high | — | 8.0 | 23d ago | FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files | |||
| CVE-2026-44716 | high | — | 8.0 | 23d ago | Pipecat: Path Traversal in Pipecat Runner `/files` Endpoint — Arbitrary File Read via `%2F`-Encoded Separator | |||
| CVE-2026-44700 | high | — | 8.0 | 23d ago | ex_webrtc client-role handshake is missing DTLS peer fingerprint validation | |||
| CVE-2026-42327 | high | — | 8.0 | 23d ago | rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.7 to before 0.10.79, X509Ref::ocsp_responders returns OCSP responder URLs from a certificate's AIA extension as Open… | |||
| CVE-2026-45671 | high | 8.0 | 8.0 | 23d ago | Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion | |||
| CVE-2026-42570 | high | — | 8.0 | 23d ago | Svelte devalue: DoS via sparse array deserialization | |||
| CVE-2026-45371 | high | — | 8.0 | 24d ago | SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs | |||
| CVE-2026-44522 | high | — | 8.0 | 24d ago | Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leads to Remote Code Execution | |||
| CVE-2026-44541 | high | — | 8.0 | 24d ago | ethyca-fides has a DOM-based XSS vulnerability in fides.js via fides_description override | |||
| CVE-2026-45011 | high | — | 8.0 | 24d ago | Apostrophe has stored XSS via javascript: URL in Image Widget Link | |||
| CVE-2026-45013 | high | — | 8.0 | 24d ago | Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation | |||
| CVE-2026-45012 | high | — | 8.0 | 24d ago | Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget | |||
| CVE-2026-46480 | high | — | 8.0 | 24d ago | FlowiseAI: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover | |||
| CVE-2026-46479 | high | — | 8.0 | 24d ago | FlowiseAI: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover | |||
| CVE-2026-46478 | high | — | 8.0 | 24d ago | FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover | |||
| CVE-2026-46477 | high | — | 8.0 | 24d ago | FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover | |||
| CVE-2026-46476 | high | — | 8.0 | 24d ago | FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover | |||
| CVE-2026-46475 | high | — | 8.0 | 24d ago | FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover | |||
| CVE-2026-46444 | high | — | 8.0 | 24d ago | FlowiseAI: Vector Store No Permission Checks | |||
| CVE-2026-45732 | high | — | 8.0 | 24d ago | n8n Has a Cross-user Authorization Bypass in Dynamic Credential OAuth Endpoints | |||
| CVE-2026-44792 | high | — | 8.0 | 24d ago | n8n Has a Source Control Pull SQL Injection | |||
| CVE-2026-43978 | high | — | 8.0 | 24d ago | wger: Privilege escalation via trainer-login session chaining allows gym trainer to impersonate gym manager | |||
| CVE-2026-44504 | high | — | 8.0 | 24d ago | Aegra has cross-user run injection in /threads/{thread_id}/runs (IDOR) | |||
| CVE-2026-43977 | high | — | 8.0 | 24d ago | wger Vulnerable to IDOR: Authenticated Users Can Read Any User's Private Workout Session Data via Template Routine API | |||
| CVE-2026-46443 | high | — | 8.0 | 24d ago | FlowiseAI Vulnerable to Credential Data Leak | |||
| CVE-2026-46441 | high | — | 8.0 | 24d ago | FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment | |||
| CVE-2026-46440 | high | — | 8.0 | 24d ago | FlowiseAI Exposes Basic Auth Credentials via API | |||
| CVE-2026-42863 | high | — | 8.0 | 24d ago | FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment | |||
| CVE-2026-42862 | high | — | 8.0 | 24d ago | FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment | |||
| CVE-2026-42861 | high | — | 8.0 | 24d ago | FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment | |||
| CVE-2026-8468 | high | — | 8.0 | 24d ago | Plug: Unbounded buffer accumulation in multipart header parsing causes denial of service | |||
| CVE-2026-8466 | high | — | 8.0 | 25d ago | Cowboy: Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy | |||
| CVE-2026-43970 | high | — | 8.0 | 25d ago | Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion. cow_spdy:inflate/2 in cowlib… | |||
| CVE-2026-45793 | high | — | 8.0 | 25d ago | Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs | |||
| CVE-2026-39979 | high | — | 8.0 | 25d ago | Important: jq security update | |||
| CVE-2026-44232 | high | — | 8.0 | 25d ago | dssrf: every IPv6 category bypasses is_url_safe | |||
| CVE-2026-44184 | high | 8.0 | 8.0 | 26d ago | Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, Cleanuparr's global CORS policy refl… | |||
| CVE-2026-40368 | high | 8.0 | 8.0 | 26d ago | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | |||
| CVE-2026-34332 | high | 8.0 | 8.0 | 26d ago | Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to execute code over a network. | |||
| CVE-2026-4151 | high | — | 8.0 | 26d ago | Important: gimp security update | |||
| CVE-2026-4154 | high | — | 8.0 | 26d ago | Important: gimp security update | |||
| CVE-2026-4153 | high | — | 8.0 | 26d ago | Important: gimp security update |