CVEs from 2026
Total
13,321
critical
critical 1,107
high
high 3,936
medium
medium 3,984
low
low 416
% Critical
8.3%
% with KEV
0.4%
% with exploit
0.5%
Top products
- chrome 299
- firepower_threat_defense 298
- firepower_threat_defense_software 295
- gcp 221
- openclaw 166
- commerce 104
- commerce_b2b 89
- magento 74
Top packages
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2026-48027 | critical | 9.8 | 10.0 | 1d ago | Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available… | |
| CVE-2026-48172 | critical | 9.8 | 10.0 | 8d ago | LiteSpeed cPanel Plugin contains privilege escalation vulnerability that is exposed via the user-end cPanel plugin, which can be abused by any cPanel user account to execute arbitrary scripts with ro… | |
| CVE-2026-9082 | critical | 9.8 | 10.0 | 8d ago | Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API. | |
| CVE-2026-8398 | critical | 9.8 | 10.0 | 13d ago | A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc b… | |
| CVE-2026-20182 | critical | 10.0 | 10.0 | 14d ago | Cisco Catalyst SD-WAN Controller & Manager contain an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges… | |
| CVE-2026-45321 | critical | 9.6 | 10.0 | 17d ago | On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate … | |
| CVE-2026-42208 | critical | 9.8 | 10.0 | 21d ago | LiteLLM has SQL Injection in Proxy API key verification | |
| CVE-2026-0300 | critical | 9.8 | 10.0 | 22d ago | Palo Alto Networks PAN-OS contains an out-of-bounds write vulnerability in the User-ID Authentication Portal (aka Captive Portal) service that can allow an unauthenticated attacker to execute arbitra… | |
| CVE-2026-42607 | critical | 9.1 | 10.0 | 23d ago | Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature | |
| CVE-2026-41940 | critical | 9.8 | 10.0 | 29d ago | WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized a… | |
| CVE-2026-33017 | critical | 9.8 | 10.0 | 2mo ago | Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication. | |
| CVE-2026-24858 | critical | 9.8 | 10.0 | 4mo ago | Fortinet FortiAnalyzer, FortiManager, FortiOS, and FortiProxy contain an authentication bypass using an alternate path or channel that could allow an attacker with a FortiCloud account and a register… | |
| CVE-2026-41091 | high | 7.8 | 9.3 | 8d ago | Microsoft Defender contains a link following vulnerability that allows an authorized attacker to elevate privileges locally. | |
| CVE-2026-31431 | high | 7.8 | 9.3 | 25d ago | In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the assoc… | |
| CVE-2026-45498 | high | 7.5 | 9.0 | 8d ago | Microsoft Defender Denial of Service Vulnerability | |
| CVE-2026-6973 | high | 7.2 | 8.7 | 21d ago | Ivanti Endpoint Manager Mobile (EPMM) contains an improper input validation vulnerability that allows a remotely authenticated user with administrative access to achieve remote code execution. | |
| CVE-2026-34926 | medium | 6.7 | 8.2 | 7d ago | Trend Micro Apex One (on-premise) contains a directory traversal vulnerability that could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to depl… | |
| CVE-2026-32201 | medium | 6.5 | 8.0 | 2mo ago | Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. | |
| CVE-2026-42897 | medium | 6.1 | 7.6 | 14d ago | Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be e… | |
| CVE-2026-32202 | medium | 4.3 | 5.8 | 1mo ago | Microsoft Windows Shell contains a protection mechanism failure vulnerability that allows an unauthorized attacker to perform spoofing over a network. | |
| CVE-2026-34197 | unknown | — | 1.5 | 2mo ago | Authenticated Apache ActiveMQ Broker and Apache ActiveMQ users could perform RCE via Jolokia MBeans |