CVEs from 2026
Total
14,798
critical
critical 1,335
high
high 5,011
medium
medium 4,834
low
low 504
% Critical
9.0%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 723
- firepower_threat_defense_software 310
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-4700 | high | — | 8.0 | 2mo ago | Mitigation bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4686 | high | — | 8.0 | 2mo ago | Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4720 | high | — | 8.0 | 2mo ago | Memory safety bugs present in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort… | |||
| CVE-2026-4719 | high | — | 8.0 | 2mo ago | Incorrect boundary conditions in the Graphics: Text component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4713 | high | — | 8.0 | 2mo ago | Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4712 | high | — | 8.0 | 2mo ago | Information disclosure in the Widget: Cocoa component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4693 | high | — | 8.0 | 2mo ago | Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4692 | high | — | 8.0 | 2mo ago | Sandbox escape in the Responsive Design Mode component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4691 | high | — | 8.0 | 2mo ago | Use-after-free in the CSS Parsing and Computation component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4687 | high | — | 8.0 | 2mo ago | Sandbox escape due to incorrect boundary conditions in the Telemetry component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 14… | |||
| CVE-2026-4690 | high | — | 8.0 | 2mo ago | Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and … | |||
| CVE-2026-4716 | high | — | 8.0 | 2mo ago | Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4718 | high | — | 8.0 | 2mo ago | Undefined behavior in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4696 | high | — | 8.0 | 2mo ago | Use-after-free in the Layout: Text and Fonts component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4688 | high | — | 8.0 | 2mo ago | Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4694 | high | — | 8.0 | 2mo ago | Incorrect boundary conditions, integer overflow in the Graphics component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4704 | high | — | 8.0 | 2mo ago | Denial-of-service in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4702 | high | — | 8.0 | 2mo ago | JIT miscompilation in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | |||
| CVE-2026-4689 | high | — | 8.0 | 2mo ago | Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and … | |||
| CVE-2026-33195 | high | — | 8.0 | 3mo ago | Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the … | |||
| CVE-2026-33492 | high | — | 8.0 | 3mo ago | AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration | |||
| CVE-2026-33485 | high | — | 8.0 | 3mo ago | AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter | |||
| CVE-2026-4427 | high | — | 8.0 | 3mo ago | RHSA-2026:22714: osbuild-composer security update (Important) | |||
| CVE-2026-33210 | high | — | 8.0 | 3mo ago | Important: ruby:4.0 security update | |||
| CVE-2026-2603 | high | — | 8.0 | 3mo ago | Keycloak: Unauthorized authentication via disabled SAML Identity Provider | |||
| CVE-2026-32933 | high | — | 8.0 | 3mo ago | AutoMapper Vulnerable to Denial of Service (DoS) via Uncontrolled Recursion | |||
| CVE-2026-26130 | high | — | 8.0 | 3mo ago | RHSA-2026:4458: .NET 10.0 security update (Important) | |||
| CVE-2026-26127 | high | — | 8.0 | 3mo ago | RHSA-2026:4458: .NET 10.0 security update (Important) | |||
| CVE-2026-28229 | high | — | 8.0 | 3mo ago | Unauthorized access to Argo Workflows Template | |||
| CVE-2026-2047 | high | — | 8.0 | 3mo ago | Important: gimp security update | |||
| CVE-2026-0797 | high | — | 8.0 | 3mo ago | RHSA-2026:5113: gimp:2.8 security update (Important) | |||
| CVE-2026-2044 | high | — | 8.0 | 3mo ago | RHSA-2026:5113: gimp:2.8 security update (Important) | |||
| CVE-2026-2048 | high | — | 8.0 | 3mo ago | RHSA-2026:5113: gimp:2.8 security update (Important) | |||
| CVE-2026-2045 | high | — | 8.0 | 3mo ago | RHSA-2026:5113: gimp:2.8 security update (Important) | |||
| CVE-2026-2004 | high | — | 8.0 | 3mo ago | RHSA-2026:4064: postgresql:12 security update (Important) | |||
| CVE-2026-2006 | high | — | 8.0 | 3mo ago | RHSA-2026:4064: postgresql:12 security update (Important) | |||
| CVE-2026-2003 | high | — | 8.0 | 3mo ago | RHSA-2026:4063: postgresql:16 security update (Important) | |||
| CVE-2026-2005 | high | — | 8.0 | 3mo ago | RHSA-2026:4064: postgresql:12 security update (Important) | |||
| CVE-2026-21863 | high | — | 8.0 | 3mo ago | Important: valkey security update | |||
| CVE-2026-27509 | high | 8.0 | 8.0 | 3mo ago | Unitree Go2 firmware versions V1.1.7 through V1.1.9, and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handle… | |||
| CVE-2026-22695 | high | — | 8.0 | 3mo ago | RHSA-2026:4728: libpng security update (Important) | |||
| CVE-2026-22801 | high | — | 8.0 | 3mo ago | RHSA-2026:4728: libpng security update (Important) | |||
| CVE-2026-2758 | high | — | 8.0 | 3mo ago | Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2759 | high | — | 8.0 | 3mo ago | Incorrect boundary conditions in the Graphics: ImageLib component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2785 | high | — | 8.0 | 3mo ago | Invalid pointer in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2774 | high | — | 8.0 | 3mo ago | Integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2447 | high | — | 8.0 | 3mo ago | Heap buffer overflow in libvpx. This vulnerability was fixed in Firefox 147.0.4, Firefox ESR 140.7.1, Firefox ESR 115.32.1, Thunderbird 140.7.2, and Thunderbird 147.0.2. | |||
| CVE-2026-2787 | high | — | 8.0 | 3mo ago | Use-after-free in the DOM: Window and Location component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2763 | high | — | 8.0 | 3mo ago | Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2771 | high | — | 8.0 | 3mo ago | Undefined behavior in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2788 | high | — | 8.0 | 3mo ago | Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2772 | high | — | 8.0 | 3mo ago | Use-after-free in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2784 | high | — | 8.0 | 3mo ago | Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2757 | high | — | 8.0 | 3mo ago | Incorrect boundary conditions in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2783 | high | — | 8.0 | 3mo ago | Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2762 | high | — | 8.0 | 3mo ago | Integer overflow in the JavaScript: Standard Library component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2777 | high | — | 8.0 | 3mo ago | Privilege escalation in the Messaging System component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2773 | high | — | 8.0 | 3mo ago | Incorrect boundary conditions in the Web Audio component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2760 | high | — | 8.0 | 3mo ago | Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thun… | |||
| CVE-2026-2782 | high | — | 8.0 | 3mo ago | Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2767 | high | — | 8.0 | 3mo ago | Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2780 | high | — | 8.0 | 3mo ago | Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2778 | high | — | 8.0 | 3mo ago | Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunder… | |||
| CVE-2026-2764 | high | — | 8.0 | 3mo ago | JIT miscompilation, use-after-free in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2776 | high | — | 8.0 | 3mo ago | Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 14… | |||
| CVE-2026-2775 | high | — | 8.0 | 3mo ago | Mitigation bypass in the DOM: HTML Parser component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2766 | high | — | 8.0 | 3mo ago | Use-after-free in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2768 | high | — | 8.0 | 3mo ago | Sandbox escape in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2779 | high | — | 8.0 | 3mo ago | Incorrect boundary conditions in the Networking: JAR component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2793 | high | — | 8.0 | 3mo ago | Memory safety bugs present in Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume tha… | |||
| CVE-2026-2791 | high | — | 8.0 | 3mo ago | Mitigation bypass in the Networking: Cache component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2781 | high | — | 8.0 | 3mo ago | Integer overflow in the Libraries component in NSS. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, Thunderbird 140.8, and Firefox ESR 115.35. | |||
| CVE-2026-2789 | high | — | 8.0 | 3mo ago | Use-after-free in the Graphics: ImageLib component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2770 | high | — | 8.0 | 3mo ago | Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2761 | high | — | 8.0 | 3mo ago | Sandbox escape in the Graphics: WebRender component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2790 | high | — | 8.0 | 3mo ago | Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2765 | high | — | 8.0 | 3mo ago | Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2769 | high | — | 8.0 | 3mo ago | Use-after-free in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |||
| CVE-2026-2792 | high | — | 8.0 | 3mo ago | Memory safety bugs present in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort… | |||
| CVE-2026-23074 | high | — | 8.0 | 4mo ago | In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root … | |||
| CVE-2026-22859 | high | — | 8.0 | 4mo ago | RHSA-2026:3334: freerdp security update (Important) | |||
| CVE-2026-22855 | high | — | 8.0 | 4mo ago | RHSA-2026:3334: freerdp security update (Important) | |||
| CVE-2026-22858 | high | — | 8.0 | 4mo ago | RHSA-2026:3334: freerdp security update (Important) | |||
| CVE-2026-25646 | high | — | 8.0 | 4mo ago | RHSA-2026:9686: java-17-openjdk security update (Important) | |||
| CVE-2026-25506 | high | — | 8.0 | 4mo ago | RHSA-2026:3032: munge security update (Important) | |||
| CVE-2026-21721 | high | — | 8.0 | 4mo ago | Important: grafana security update | |||
| CVE-2026-21637 | high | — | 8.0 | 4mo ago | Important: nodejs:24 security update | |||
| CVE-2026-26157 | high | 7.0 | 8.0 | 4mo ago | A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may wr… | |||
| CVE-2026-1761 | high | — | 8.0 | 4mo ago | RHSA-2026:2215: libsoup security update (Important) | |||
| CVE-2026-0719 | high | — | 8.0 | 4mo ago | RHSA-2026:2215: libsoup security update (Important) | |||
| CVE-2026-23883 | high | — | 8.0 | 4mo ago | RHSA-2026:2081: freerdp security update (Important) | |||
| CVE-2026-23884 | high | — | 8.0 | 4mo ago | RHSA-2026:2081: freerdp security update (Important) | |||
| CVE-2026-23534 | high | — | 8.0 | 4mo ago | RHSA-2026:2081: freerdp security update (Important) | |||
| CVE-2026-23533 | high | — | 8.0 | 4mo ago | RHSA-2026:2081: freerdp security update (Important) | |||
| CVE-2026-23530 | high | — | 8.0 | 4mo ago | RHSA-2026:2081: freerdp security update (Important) | |||
| CVE-2026-23531 | high | — | 8.0 | 4mo ago | RHSA-2026:2081: freerdp security update (Important) | |||
| CVE-2026-23532 | high | — | 8.0 | 4mo ago | RHSA-2026:2081: freerdp security update (Important) | |||
| CVE-2026-24049 | high | — | 8.0 | 4mo ago | RHSA-2026:2090: python3.12-wheel security update (Important) | |||
| CVE-2026-0994 | high | — | 8.0 | 5mo ago | Important: protobuf security update | |||
| CVE-2026-23490 | high | — | 8.0 | 5mo ago | Important: fence-agents security update |