CVEs from 2026

13,307 normalized CVEs published or assigned in this year.

Total

13,307

critical

critical 1,106

high

high 3,925

medium

medium 3,978

low

low 415

% Critical

8.3%

% with KEV

0.4%

% with exploit

0.5%

Top vendors

cisco 657
google 520
adobe 332
microsoft 303
openclaw 167
apache 129
mozilla 107
tanstack 84

Top products

chrome 299
firepower_threat_defense 298
firepower_threat_defense_software 295
gcp 221
openclaw 166
commerce 104
commerce_b2b 89
magento 74

Top packages

npm/openclaw 407
npm/parse-server 141
Packagist/wwbn/avideo 129
NPM/openclaw 129
npm/n8n 120
Go/github.com/mattermost/mattermost-server 103
Packagist/symfony/symfony 94
NuGet/Magick.NET-Q16-HDRI-AnyCPU 86

critical high medium low unknown

0

KEV Has exploit

CVE	Severity	CVSS	Risk	Published	Description	Impact
CVE-2026-41091	high	7.8	9.3	8d ago	Microsoft Defender contains a link following vulnerability that allows an authorized attacker to elevate privileges locally.
CVE-2026-31431	high	7.8	9.3	25d ago	In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the assoc…	+3
CVE-2026-45498	high	7.5	9.0	8d ago	Microsoft Defender Denial of Service Vulnerability
CVE-2026-6973	high	7.2	8.7	21d ago	Ivanti Endpoint Manager Mobile (EPMM) contains an improper input validation vulnerability that allows a remotely authenticated user with administrative access to achieve remote code execution.
CVE-2026-34926	medium	6.7	8.2	7d ago	Trend Micro Apex One (on-premise) contains a directory traversal vulnerability that could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to depl…
CVE-2026-32201	medium	6.5	8.0	2mo ago	Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-42897	medium	6.1	7.6	14d ago	Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be e…
CVE-2026-32202	medium	4.3	5.8	1mo ago	Microsoft Windows Shell contains a protection mechanism failure vulnerability that allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-34197	unknown	—	1.5	2mo ago	Authenticated Apache ActiveMQ Broker and Apache ActiveMQ users could perform RCE via Jolokia MBeans