CVEs from 2026
Total
14,172
critical
critical 1,106
high
high 3,898
medium
medium 3,930
low
low 413
% Critical
7.8%
% with KEV
0.4%
% with exploit
0.4%
Top products
- firepower_threat_defense 298
- chrome 298
- firepower_threat_defense_software 295
- gcp 221
- openclaw 166
- commerce 104
- commerce_b2b 89
- magento 74
Top packages
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2026-48027 | critical | 9.8 | 10.0 | 11h ago | Nx Console contains an embedded malicious code vulnerability that allowed a malicious version of Nx Console to be published. The compromised extension fetched an obfuscated payload that could harvest… | |
| CVE-2026-48172 | critical | 9.8 | 10.0 | 7d ago | LiteSpeed cPanel Plugin contains privilege escalation vulnerability that is exposed via the user-end cPanel plugin, which can be abused by any cPanel user account to execute arbitrary scripts with ro… | |
| CVE-2026-9082 | critical | 9.8 | 10.0 | 7d ago | Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API. | |
| CVE-2026-8398 | critical | 9.8 | 10.0 | 13d ago | Daemon Tools contains an unspecified vulnerability that has a high impact on confidentiality, integrity, and availability. | |
| CVE-2026-20182 | critical | 10.0 | 10.0 | 13d ago | Cisco Catalyst SD-WAN Controller & Manager contain an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges… | |
| CVE-2026-45321 | critical | 9.6 | 10.0 | 16d ago | Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys | |
| CVE-2026-42208 | critical | 9.8 | 10.0 | 20d ago | LiteLLM has SQL Injection in Proxy API key verification | |
| CVE-2026-0300 | critical | 9.8 | 10.0 | 21d ago | Palo Alto Networks PAN-OS contains an out-of-bounds write vulnerability in the User-ID Authentication Portal (aka Captive Portal) service that can allow an unauthenticated attacker to execute arbitra… | |
| CVE-2026-41940 | critical | 9.8 | 10.0 | 28d ago | WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized a… | |
| CVE-2026-33017 | critical | 9.8 | 10.0 | 2mo ago | Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication. | |
| CVE-2026-24858 | critical | 9.8 | 10.0 | 4mo ago | Fortinet FortiAnalyzer, FortiManager, FortiOS, and FortiProxy contain an authentication bypass using an alternate path or channel that could allow an attacker with a FortiCloud account and a register… |