CVEs from 2026
Total
14,156
critical
critical 1,104
high
high 3,890
medium
medium 3,925
low
low 413
% Critical
7.8%
% with KEV
0.4%
% with exploit
0.4%
Top products
- chrome 298
- firepower_threat_defense 298
- firepower_threat_defense_software 295
- openclaw 166
- gcp 135
- commerce 104
- commerce_b2b 89
- magento 74
Top packages
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2026-45087 | critical | 10.0 | 10.0 | 5h ago | Dalfox Server Mode Vulnerable to Unauthenticated Remote Code Execution via `found-action` | |
| CVE-2026-48027 | critical | 9.8 | 10.0 | 6h ago | Nx Console contains an embedded malicious code vulnerability that allowed a malicious version of Nx Console to be published. The compromised extension fetched an obfuscated payload that could harvest… | |
| CVE-2026-44327 | critical | 10.0 | 10.0 | 7h ago | free5GC's NEF nnef-oam route group is unauthenticated; no-token requests reach the OAM handler | |
| CVE-2026-44329 | critical | 10.0 | 10.0 | 7h ago | free5GC's SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers | |
| CVE-2026-44330 | critical | 10.0 | 10.0 | 7h ago | free5GC's NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens can read PFD data and create/delete PFD subscriptions | |
| CVE-2026-41104 | critical | 10.0 | 10.0 | 5d ago | Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose information over a network. | |
| CVE-2026-42901 | critical | 10.0 | 10.0 | 5d ago | Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges over a network. | |
| CVE-2026-33712 | critical | 10.0 | 10.0 | 5d ago | Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the preview chat endpoint (POST /api/v1/typebots/{typebotId}/preview/startChat) allows unauthenticated users to achieve Server-Side Re… | |
| CVE-2026-46595 | critical | 10.0 | 10.0 | 6d ago | Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would… | |
| CVE-2026-34910 | critical | 10.0 | 10.0 | 6d ago | A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection. | |
| CVE-2026-34909 | critical | 10.0 | 10.0 | 6d ago | A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an und… | |
| CVE-2026-34908 | critical | 10.0 | 10.0 | 6d ago | A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system. | |
| CVE-2026-48172 | critical | 9.8 | 10.0 | 7d ago | LiteSpeed cPanel Plugin contains privilege escalation vulnerability that is exposed via the user-end cPanel plugin, which can be abused by any cPanel user account to execute arbitrary scripts with ro… | |
| CVE-2026-9082 | critical | 9.8 | 10.0 | 7d ago | Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API. | |
| CVE-2026-45444 | critical | 10.0 | 10.0 | 7d ago | Unrestricted Upload of File with Dangerous Type vulnerability in WP Swings Gift Cards For WooCommerce Pro allows Using Malicious Files. This issue affects Gift Cards For WooCommerce Pro: from n/a th… | |
| CVE-2026-20223 | critical | 10.0 | 10.0 | 7d ago | A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site resources with the privileges of the S… | |
| CVE-2026-42960 | critical | 10.0 | 10.0 | 8d ago | NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority sec… | |
| CVE-2026-34234 | critical | 10.0 | 10.0 | 8d ago | CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the web-based installer (public/installer/index.php) is vulnerable to unauthenticated Remote Code Executi… | |
| CVE-2026-43633 | critical | 10.0 | 10.0 | 8d ago | HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated rem… | |
| CVE-2026-42822 | critical | 10.0 | 10.0 | 9d ago | Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges over a network. | |
| CVE-2026-41553 | critical | 10.0 | 10.0 | 12d ago | PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated attacker can inject the malicio… | |
| CVE-2026-8398 | critical | 9.8 | 10.0 | 13d ago | Daemon Tools contains an unspecified vulnerability that has a high impact on confidentiality, integrity, and availability. | |
| CVE-2026-44523 | critical | 10.0 | 10.0 | 13d ago | Note Mark has a JWT Secret Weakness that allows Full Account Takeover via Token Forgery | |
| CVE-2026-20182 | critical | 10.0 | 10.0 | 13d ago | Cisco Catalyst SD-WAN Controller & Manager contain an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges… | |
| CVE-2026-44006 | critical | 10.0 | 10.0 | 14d ago | vm2 has a Sandbox Escape Vulnerability | |
| CVE-2026-44005 | critical | 10.0 | 10.0 | 14d ago | vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape | |
| CVE-2026-43997 | critical | 10.0 | 10.0 | 14d ago | vm2 Access to Host Object Enables Sandbox Escape | |
| CVE-2026-42288 | critical | 10.0 | 10.0 | 15d ago | ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard … | |
| CVE-2026-45321 | critical | 9.6 | 10.0 | 16d ago | Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys | |
| CVE-2026-42869 | critical | 10.0 | 10.0 | 16d ago | SOCFortress CoPilot focuses on providing a single pane of glass for all your security operations needs. Prior to 0.1.57, SOCFortress CoPilot ships a hardcoded JWT signing secret as a fallback value i… | |
| CVE-2026-44643 | critical | 10.0 | 10.0 | 16d ago | Angular Expressions - Remote Code Execution using filters | |
| CVE-2026-42298 | critical | 10.0 | 10.0 | 19d ago | Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows a… | |
| CVE-2026-41070 | critical | 10.0 | 10.0 | 19d ago | openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, allowing unauthenticated VPN access | |
| CVE-2026-42208 | critical | 9.8 | 10.0 | 20d ago | LiteLLM has SQL Injection in Proxy API key verification | |
| CVE-2026-35435 | critical | 10.0 | 10.0 | 20d ago | Improper access control in Azure AI Foundry M365 published agents allows an unauthorized attacker to elevate privileges over a network. | |
| CVE-2026-33587 | critical | 10.0 | 10.0 | 20d ago | Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and subsequently OS commands) on the docker container via Server-Side Template Injection (S… | |
| CVE-2026-0300 | critical | 9.8 | 10.0 | 21d ago | Palo Alto Networks PAN-OS contains an out-of-bounds write vulnerability in the User-ID Authentication Portal (aka Captive Portal) service that can allow an unauthenticated attacker to execute arbitra… | |
| CVE-2026-42607 | critical | 9.1 | 10.0 | 22d ago | Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature | |
| CVE-2026-7411 | critical | 10.0 | 10.0 | 22d ago | Eclipse BaSyx Java Server SDK vulnerable to Path Traversal | |
| CVE-2026-26332 | critical | 10.0 | 10.0 | 23d ago | VM2 Has a Sandbox Escape Issue via SuppressedError | |
| CVE-2026-42369 | critical | 10.0 | 10.0 | 24d ago | GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other security devices. It is a native application accessed locally, but it is also possible… | |
| CVE-2026-37541 | critical | 10.0 | 10.0 | 26d ago | Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) 3.3.005. In canformat_gvret.cpp, the length field in GVRET binary data is not properly validated, allowing remote attackers t… | |
| CVE-2026-39858 | critical | 10.0 | 10.0 | 27d ago | Traefik: Pre-authentication decision bypass due to forwarded alias spoofing | |
| CVE-2026-35051 | critical | 10.0 | 10.0 | 27d ago | Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication | |
| CVE-2026-36767 | critical | 10.0 | 10.0 | 27d ago | Shopizer has a path traversal issue | |
| CVE-2026-41940 | critical | 9.8 | 10.0 | 28d ago | WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized a… | |
| CVE-2026-33453 | critical | 10.0 | 10.0 | 1mo ago | Apache camel-coap allows header injection that can lead to remote code execution | |
| CVE-2026-42043 | critical | 10.0 | 10.0 | 1mo ago | Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 | |
| CVE-2026-35431 | critical | 10.0 | 10.0 | 1mo ago | Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to perform spoofing over a network. | |
| CVE-2026-26150 | critical | 10.0 | 10.0 | 1mo ago | Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network. | |
| CVE-2026-41211 | critical | 10.0 | 10.0 | 1mo ago | Path traversal in vite-plus/binding downloadPackageManager() writes outside VP_HOME | |
| CVE-2026-41196 | critical | 10.0 | 10.0 | 1mo ago | Luanti (formerly Minetest) is an open source voxel game-creation platform. Starting in version 5.0.0 and prior to version 5.15.2, a malicious mod can trivially escape the sandboxed Lua environment to… | |
| CVE-2026-39907 | critical | 10.0 | 10.0 | 1mo ago | Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose an unauthenticated WCF SOAP endpoint on TCP port 1208 that accepts unsanitized file paths in the ReadLicense action's L… | |
| CVE-2026-39906 | critical | 10.0 | 10.0 | 1mo ago | Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET Remoting TCP channel that allows remote unauthenticated attackers to leak NTLMv2 machine-account hash… | |
| CVE-2026-34444 | critical | 10.0 | 10.0 | 2mo ago | Lupa has a Sandbox escape and RCE due to incomplete attribute_filter enforcement in getattr / setattr | |
| CVE-2026-4963 | critical | 10.0 | 10.0 | 2mo ago | Hugging Face Smolagents has an Injection issue | |
| CVE-2026-33017 | critical | 9.8 | 10.0 | 2mo ago | Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication. | |
| CVE-2026-22557 | critical | 10.0 | 10.0 | 2mo ago | A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network Application to access files on the underlying system that could be manipulated to … | |
| CVE-2026-24858 | critical | 9.8 | 10.0 | 4mo ago | Fortinet FortiAnalyzer, FortiManager, FortiOS, and FortiProxy contain an authentication bypass using an alternate path or channel that could allow an attacker with a FortiCloud account and a register… | |
| CVE-2026-45102 | critical | 9.9 | 9.9 | 3h ago | OneUptime is an open-source monitoring and observability platform. Prior to 10.0.98, OneUptime uses the Node.js' vm module as an isolation primitive. This API was not designed for that and can be esc… | |
| CVE-2026-46425 | critical | 9.9 | 9.9 | 5h ago | Budibase is an open-source low-code platform. Prior to 3.38.2, packages/worker/src/api/routes/global/scim.ts attaches only two middlewares to the SCIM router: requireSCIM (checks the Enterprise featu… | |
| CVE-2026-42757 | critical | 9.9 | 9.9 | 12h ago | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows Path Traversal.This issue affects Webi… | |
| CVE-2026-42756 | critical | 9.9 | 9.9 | 12h ago | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Ludwig You QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly quickwebp all… | |
| CVE-2026-42748 | critical | 9.9 | 9.9 | 12h ago | Unrestricted Upload of File with Dangerous Type vulnerability in WPify WPify Woo Czech wpify-woo allows Upload a Web Shell to a Web Server.This issue affects WPify Woo Czech: from n/a through <= 5.4.… | |
| CVE-2026-44450 | critical | 9.9 | 9.9 | 1d ago | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forwards the args array to the … | |
| CVE-2026-46624 | critical | 9.9 | 9.9 | 1d ago | Twenty is an open source CRM. From 1.7.7 through 1.16.7, a critical Remote Code Execution (RCE) vulnerability exists in Twenty CRM via a chained SQL Injection and PostgreSQL COPY TO PROGRAM attack. I… | |
| CVE-2026-7374 | critical | 9.9 | 9.9 | 1d ago | A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation whe… | |
| CVE-2026-4858 | critical | 9.9 | 9.9 | 7d ago | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an… | |
| CVE-2026-44050 | critical | 9.9 | 9.9 | 7d ago | A heap-based buffer overflow in the CNID daemon comm_rcv() function in Netatalk 2.0.0 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code with escalated privileges or cause… | |
| CVE-2026-27130 | critical | 9.9 | 9.9 | 9d ago | Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues cause this problem: inadequate input… | |
| CVE-2026-44774 | critical | 9.9 | 9.9 | 12d ago | Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false | |
| CVE-2026-44442 | critical | 9.9 | 9.9 | 14d ago | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permi… | |
| CVE-2026-43999 | critical | 9.9 | 9.9 | 14d ago | vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape | |
| CVE-2026-41050 | critical | 9.9 | 9.9 | 15d ago | Fleet: Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering | |
| CVE-2026-44015 | critical | 9.9 | 9.9 | 15d ago | Nginx-UI has Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware that Allows Access to Internal Services | |
| CVE-2026-43948 | critical | 9.9 | 9.9 | 15d ago | wger: cross-tenant password reset and plaintext disclosure via gym=None bypass | |
| CVE-2026-42898 | critical | 9.9 | 9.9 | 15d ago | Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network. | |
| CVE-2026-42823 | critical | 9.9 | 9.9 | 15d ago | Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network. | |
| CVE-2026-33821 | critical | 9.9 | 9.9 | 15d ago | Improper privilege management in Microsoft Dynamics 365 Customer Insights allows an authorized attacker to elevate privileges over a network. | |
| CVE-2026-42864 | critical | 9.9 | 9.9 | 16d ago | FireFighter has unauthenticated SSRF in its Raid jira_bot endpoint that allows IAM credential theft | |
| CVE-2026-42858 | critical | 9.9 | 9.9 | 16d ago | Open edX Platform enables the authoring and delivery of online learning at any scale. The sync_provider_data endpoint in SAMLProviderDataViewSet allows authenticated Enterprise Admin users to supply … | |
| CVE-2026-7813 | critical | 9.9 | 9.9 | 16d ago | pgAdmin 4 server mode has an authorization vulnerability affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules | |
| CVE-2026-42454 | critical | 9.9 | 9.9 | 19d ago | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, all Docker container management endpoints in Termix interpolate t… | |
| CVE-2026-41512 | critical | 9.9 | 9.9 | 19d ago | ai-scanner is an AI model safety scanner built on NVIDIA garak. From version 1.0.0 to before version 1.4.1, there is a remote code execution vulnerability via JavaScript injection in `BrowserAutomati… | |
| CVE-2026-33109 | critical | 9.9 | 9.9 | 20d ago | Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network. | |
| CVE-2026-42812 | critical | 9.9 | 9.9 | 23d ago | Apache Polaris has an Improper Input Validation issue | |
| CVE-2026-42811 | critical | 9.9 | 9.9 | 23d ago | Apache Polaris has an Improper Input Validation issue | |
| CVE-2026-42810 | critical | 9.9 | 9.9 | 23d ago | Apache Polaris has an Improper Input Validation Issue | |
| CVE-2026-42809 | critical | 9.9 | 9.9 | 23d ago | Apache Polaris has an Improper Input Validation Issue | |
| CVE-2026-42368 | critical | 9.9 | 9.9 | 24d ago | A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute priviledged operation. An attack… | |
| CVE-2026-30893 | critical | 9.9 | 9.9 | 28d ago | Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.4.0 to before version 4.14.4, a path traversal vulnerability in Wazuh's cluster synchroniz… | |
| CVE-2026-40453 | critical | 9.9 | 9.9 | 1mo ago | Apache Camel has an incomplete fix for CVE-2025-27636 | |
| CVE-2026-41478 | critical | 9.9 | 9.9 | 1mo ago | Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId) | |
| CVE-2026-21515 | critical | 9.9 | 9.9 | 1mo ago | Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network. | |
| CVE-2026-32621 | critical | 9.9 | 9.9 | 2mo ago | Apollo Federation vulnerable to prototype pollution via incomplete key sanitization | |
| CVE-2026-21708 | critical | 9.9 | 9.9 | 3mo ago | A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user. | |
| CVE-2026-21669 | critical | 9.9 | 9.9 | 3mo ago | A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server. | |
| CVE-2026-8364 | critical | 9.8 | 9.8 | 2h ago | Gladinet Triofox Cloud Server Agent Access Service (GladServerAgentService.exe) listens on TCP port 7878 and processes remote HTTP messages with URL paths starting with /resources, /status, /sysinfo,… | |
| CVE-2026-8363 | critical | 9.8 | 9.8 | 2h ago | A stack-based buffer overflow condition exists in WOSDeviceDropFolder.dll when processing a long URL path starting with /resources: | |
| CVE-2026-8362 | critical | 9.8 | 9.8 | 2h ago | A stack-based buffer overflow condition exists in WOSDefaultHttpModule.dll when processing a long URL path starting with /woshome |